Remove SubjectAltNameWarning and add test for removing commonName fal…

…lback.
urllib3 · Dec 22, 2020 · 78a2936 · 78a2936
1 parent 6bbee9a
commit 78a2936
Show file tree

Hide file tree

Showing 6 changed files with 14 additions and 41 deletions.
diff --git a/src/urllib3/__init__.py b/src/urllib3/__init__.py
@@ -69,8 +69,6 @@ def add_stderr_logger(level=logging.DEBUG):
 # mechanisms to silence them.
 # SecurityWarning's always go off by default.
 warnings.simplefilter("always", exceptions.SecurityWarning, append=True)
-# SubjectAltNameWarning's should go off once per host
-warnings.simplefilter("default", exceptions.SubjectAltNameWarning, append=True)
 # InsecurePlatformWarning's don't vary between requests, so we keep it default.
 warnings.simplefilter("default", exceptions.InsecurePlatformWarning, append=True)
 # SNIMissingWarnings should go off only once.

diff --git a/src/urllib3/connection.py b/src/urllib3/connection.py
@@ -24,12 +24,7 @@ class BaseSSLError(BaseException):
 
 
 from ._version import __version__
-from .exceptions import (
-    ConnectTimeoutError,
-    NewConnectionError,
-    SubjectAltNameWarning,
-    SystemTimeWarning,
-)
+from .exceptions import ConnectTimeoutError, NewConnectionError, SystemTimeWarning
 from .packages.ssl_match_hostname import CertificateError, match_hostname
 from .util import SKIP_HEADER, SKIPPABLE_HEADERS, connection
 from .util.ssl_ import (
@@ -421,16 +416,6 @@ def connect(self):
             # the TLS library, this cannot always be done. So we check whether
             # the TLS Library still thinks it's matching hostnames.
             cert = self.sock.getpeercert()
-            if not cert.get("subjectAltName", ()):
-                warnings.warn(
-                    (
-                        f"Certificate for {hostname} has no `subjectAltName`, falling back to check for a "
-                        "`commonName` for now. This feature is being removed by major browsers and "
-                        "deprecated by RFC 2818. (See https://github.com/urllib3/urllib3/issues/497 "
-                        "for details.)"
-                    ),
-                    SubjectAltNameWarning,
-                )
             _match_hostname(cert, self.assert_hostname or server_hostname)
 
         self.is_verified = (

diff --git a/src/urllib3/exceptions.py b/src/urllib3/exceptions.py
@@ -186,12 +186,6 @@ class SecurityWarning(HTTPWarning):
     pass
 
 
-class SubjectAltNameWarning(SecurityWarning):
-    """Warned when connecting to a host with a certificate missing a SAN."""
-
-    pass
-
-
 class InsecureRequestWarning(SecurityWarning):
     """Warned when making an unverified HTTPS request."""
 

diff --git a/test/contrib/test_pyopenssl.py b/test/contrib/test_pyopenssl.py
@@ -35,7 +35,6 @@ def teardown_module():
     TestHTTPS,
     TestHTTPS_IPSAN,
     TestHTTPS_IPV6SAN,
-    TestHTTPS_NoSAN,
     TestHTTPS_TLSv1,
     TestHTTPS_TLSv1_1,
     TestHTTPS_TLSv1_2,

diff --git a/test/test_connection.py b/test/test_connection.py
@@ -4,6 +4,10 @@
 import pytest
 
 from urllib3.connection import RECENT_DATE, CertificateError, _match_hostname
+from urllib3.packages.ssl_match_hostname._implementation import (
+    CertificateError as ImplementationCertificateError,
+)
+from urllib3.packages.ssl_match_hostname._implementation import match_hostname
 
 
 class TestConnection:
@@ -43,6 +47,15 @@ def test_match_hostname_mismatch(self):
             )
             assert e._peer_cert == cert
 
+    def test_match_hostname_ignore_common_name(self):
+        cert = {"subject": [("commonName", "foo")]}
+        asserted_hostname = "foo"
+        with pytest.raises(
+            ImplementationCertificateError,
+            match="no appropriate subjectAltName fields were found",
+        ):
+            match_hostname(cert, asserted_hostname)
+
     def test_recent_date(self):
         # This test is to make sure that the RECENT_DATE value
         # doesn't get too far behind what the current date is.

diff --git a/test/with_dummyserver/test_https.py b/test/with_dummyserver/test_https.py
@@ -782,22 +782,6 @@ class TestHTTPS_TLSv1_3(TestHTTPS):
     certs = TLSv1_3_CERTS
 
 
-class TestHTTPS_NoSAN:
-    def test_warning_for_certs_without_a_san(self, no_san_server):
-        """Ensure that a warning is raised when the cert from the server has
-        no Subject Alternative Name."""
-        with mock.patch("warnings.warn") as warn:
-            with HTTPSConnectionPool(
-                no_san_server.host,
-                no_san_server.port,
-                cert_reqs="CERT_REQUIRED",
-                ca_certs=no_san_server.ca_certs,
-            ) as https_pool:
-                r = https_pool.request("GET", "/")
-                assert r.status == 200
-                assert warn.called
-
-
 class TestHTTPS_IPSAN:
     def test_can_validate_ip_san(self, ip_san_server):
         """Ensure that urllib3 can validate SANs with IP addresses in them."""