Message 135411 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	nbareil
Recipients	kiilerix, nbareil, pitrou, python-dev, sdaoden
Date	2011-05-07.07:48:34
SpamBayes Score	0.0001508831
Marked as misclassified	No
Message-id	<1304754517.36.0.568196346631.issue12000@psf.upfronthosting.co.za>
In-reply-to

Content
Hello Mads > Until now Python failed to the safe side by not matching on > subjectAltName iPAddress but also not falling back to commonName > if they were specified. AFAICS, with this change it is possible to > create strange certificates that Python would accept when an IP > address matched commonName but other implementations would reject > because of iPAddress mismatch. Good point! But I think we already have this issue with a certificate like this one: cert = { 'subject': ((('commonName', '192.168.1.1'),),)} ok(cert, '192.168.1.1') Do you think this test should fail?

Hello Mads

> Until now Python failed to the safe side by not matching on 
> subjectAltName iPAddress but also not falling back to commonName
> if they were specified. AFAICS, with this change it is possible to 
> create strange certificates that Python would accept when an IP 
> address matched commonName but other implementations would reject 
> because of iPAddress mismatch.

Good point! But I think we already have this issue with a certificate 
like this one:

cert = { 'subject': ((('commonName', '192.168.1.1'),),)}
ok(cert, '192.168.1.1')

Do you think this test should fail?

History
Date	User	Action	Args
2011-05-07 07:48:37	nbareil	set	recipients: + nbareil, pitrou, kiilerix, sdaoden, python-dev
2011-05-07 07:48:37	nbareil	set	messageid: <1304754517.36.0.568196346631.issue12000@psf.upfronthosting.co.za>
2011-05-07 07:48:34	nbareil	link	issue12000 messages
2011-05-07 07:48:34	nbareil	create