Message282945
Python's implementation of host name verification conforms to RFC 6125, section 6.4.4. The CN check is optional (MAY). Python treats the presence of an IP Address as indicator that CN check should not be performed.
In fact hostname verification code should be more strict and not fall back to CN when a SRV-ID or URI is present. But the ssl module lacks support to fetch SRV-ID, see #28191. Since public CAs and members of the CAB forum are not yet allowed to issue certificates with SRV-ID, it's not a security issue.
https://tools.ietf.org/html/rfc6125#section-6.4.4
6.4.4. Checking of Common Names
As noted, a client MUST NOT seek a match for a reference identifier
of CN-ID if the presented identifiers include a DNS-ID, SRV-ID,
URI-ID, or any application-specific identifier types supported by the
client.
Therefore, if and only if the presented identifiers do not include a
DNS-ID, SRV-ID, URI-ID, or any application-specific identifier types
supported by the client, then the client MAY as a last resort check
for a string whose form matches that of a fully qualified DNS domain
name in a Common Name field of the subject field (i.e., a CN-ID). |
|
Date |
User |
Action |
Args |
2016-12-11 20:26:32 | christian.heimes | set | recipients:
+ christian.heimes, janssen, alex, dstufft, noxxi |
2016-12-11 20:26:32 | christian.heimes | set | messageid: <1481487992.63.0.371073571396.issue28938@psf.upfronthosting.co.za> |
2016-12-11 20:26:32 | christian.heimes | link | issue28938 messages |
2016-12-11 20:26:32 | christian.heimes | create | |
|