This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author christian.heimes
Recipients alex, christian.heimes, dstufft, janssen, noxxi
Date 2016-12-11.20:26:32
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1481487992.63.0.371073571396.issue28938@psf.upfronthosting.co.za>
In-reply-to
Content 
Python's implementation of host name verification conforms to RFC 6125, section 6.4.4. The CN check is optional (MAY). Python treats the presence of an IP Address as indicator that CN check should not be performed. 

In fact hostname verification code should be more strict and not fall back to CN when a SRV-ID or URI is present. But the ssl module lacks support to fetch SRV-ID, see #28191. Since public CAs and members of the CAB forum are not yet allowed to issue certificates with SRV-ID, it's not a security issue.


https://tools.ietf.org/html/rfc6125#section-6.4.4

6.4.4.  Checking of Common Names

   As noted, a client MUST NOT seek a match for a reference identifier
   of CN-ID if the presented identifiers include a DNS-ID, SRV-ID,
   URI-ID, or any application-specific identifier types supported by the
   client.

   Therefore, if and only if the presented identifiers do not include a
   DNS-ID, SRV-ID, URI-ID, or any application-specific identifier types
   supported by the client, then the client MAY as a last resort check
   for a string whose form matches that of a fully qualified DNS domain
   name in a Common Name field of the subject field (i.e., a CN-ID).
History
Date User Action Args
2016-12-11 20:26:32christian.heimessetrecipients: + christian.heimes, janssen, alex, dstufft, noxxi
2016-12-11 20:26:32christian.heimessetmessageid: <1481487992.63.0.371073571396.issue28938@psf.upfronthosting.co.za>
2016-12-11 20:26:32christian.heimeslinkissue28938 messages
2016-12-11 20:26:32christian.heimescreate