New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
match_hostname treats SAN IP address as DNS name and fails to check CN then #73124
Comments
from Lib/ssl.py 303 elif key == 'IP Address': RFC 2818 and RFC 6125 say that CN should not be used if subjectAltNames contains DNS names. This means CN should still be checked if SAN contains only IP addresses. By appending IP address to dnsnames in line 306 it will not check the CN if there are no DNS names in SAN but only IP address. |
Python's implementation of host name verification conforms to RFC 6125, section 6.4.4. The CN check is optional (MAY). Python treats the presence of an IP Address as indicator that CN check should not be performed. In fact hostname verification code should be more strict and not fall back to CN when a SRV-ID or URI is present. But the ssl module lacks support to fetch SRV-ID, see bpo-28191. Since public CAs and members of the CAB forum are not yet allowed to issue certificates with SRV-ID, it's not a security issue. https://tools.ietf.org/html/rfc6125#section-6.4.4 6.4.4. Checking of Common Names As noted, a client MUST NOT seek a match for a reference identifier Therefore, if and only if the presented identifiers do not include a |
On Sun, Dec 11, 2016 at 08:26:32PM +0000, Christian Heimes <report@bugs.python.org> wrote:
RFC 6125 does not obsolete RFC 2818. In fact it says in section 1.4: This document also does not supersede the rules for verifying service Where Appendix B.2 explicitly cites the relevant parts from RFC 2818 like this If a subjectAltName extension of type dNSName is present, that MUST Thus while RFC 6125 might say MAY for checking the CN the more specific RFC Regards, |
I don't like to change the behavior of match_hostname(). RFC 2818 is deprecated. Recent browsers are no longer using CN to verify hostnames. Python is going to ignore CN soonish, too. |
+1 Christian, we should not be expanding our usage of CNs at all. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: