Message 58508 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	janssen
Recipients	ahasenack, gvanrossum, janssen
Date	2007-12-12.20:36:58
SpamBayes Score	0.012869823
Marked as misclassified	No
Message-id	<4b3e516a0712121236g165ce7ddpdfd13d4676f4e2c6@mail.gmail.com>
In-reply-to	<1197463704.77.0.451471168005.issue1589@psf.upfronthosting.co.za>

Content
Yes, I think that's reasonable. And for pseudo-standards like https, which calls for this, the implementation in the standard library should attempt to do it automatically. Unfortunately, that means that client-side certificate verification has to be done (it's pointless to look at the data in unverified certificates), and that means that the client software has to have an appropriate collection of root certificates to verify against. I think there's an argument for adding a registry of root certificates to the SSL module, just a module-level variable that the application can bind to a filename of a file containing their collection of certificates. If it's non-None, the https code would use it to verify the certificate, then use the commonName in the subject field to check against the hostname in the URL. If it's None, the check would be skipped. Bill On Dec 12, 2007 4:48 AM, Andreas Hasenack <report@bugs.python.org> wrote: > > Andreas Hasenack added the comment: > > At the least it should be made clear in the documentation that the > hostname is not checked against the commonName nor the subjectAltName > fields of the server certificate. And add some sample code to the > documentation for doing a simple check. Something like this, to > illustrate: > > def get_subjectAltName(cert): > if not cert.has_key('subjectAltName'): > return [] > ret = [] > for rdn in cert['subjectAltName']: > if rdn[0].lower() == 'dns' or rdn[0][:2].lower() == 'ip': > ret.append(rdn[1]) > return ret > > def get_commonName(cert): > if not cert.has_key('subject'): > return [] > ret = [] > for rdn in cert['subject']: > if rdn[0][0].lower() == 'commonname': > ret.append(rdn[0][1]) > return ret > > > def verify_hostname(cert, host): > cn = get_commonName(cert) > san = get_subjectAltName(cert) > return (host in cn) or (host in san) > > __________________________________ > Tracker <report@bugs.python.org> > <http://bugs.python.org/issue1589> > __________________________________ >

Yes, I think that's reasonable.  And for pseudo-standards like https, which
calls for this, the implementation in the standard library should attempt to
do it automatically.  Unfortunately, that means that client-side certificate
verification has to be done (it's pointless to look at the data in
unverified certificates), and that means that the client software has to
have an appropriate collection of root certificates to verify against.  I
think there's an argument for adding a registry of root certificates to the
SSL module, just a module-level variable that the application can bind to a
filename of a file containing their collection of certificates.  If it's
non-None, the https code would use it to verify the certificate, then use
the commonName in the subject field to check against the hostname in the
URL.  If it's None, the check would be skipped.

Bill

On Dec 12, 2007 4:48 AM, Andreas Hasenack <report@bugs.python.org> wrote:

>
> Andreas Hasenack added the comment:
>
> At the least it should be made clear in the documentation that the
> hostname is not checked against the commonName nor the subjectAltName
> fields of the server certificate. And add some sample code to the
> documentation for doing a simple check. Something like this, to
> illustrate:
>
> def get_subjectAltName(cert):
>        if not cert.has_key('subjectAltName'):
>                return []
>        ret = []
>        for rdn in cert['subjectAltName']:
>                if rdn[0].lower() == 'dns' or rdn[0][:2].lower() == 'ip':
>                        ret.append(rdn[1])
>        return ret
>
> def get_commonName(cert):
>        if not cert.has_key('subject'):
>                return []
>        ret = []
>        for rdn in cert['subject']:
>                if rdn[0][0].lower() == 'commonname':
>                        ret.append(rdn[0][1])
>        return ret
>
>
> def verify_hostname(cert, host):
>        cn = get_commonName(cert)
>        san = get_subjectAltName(cert)
>        return (host in cn) or (host in san)
>
> __________________________________
> Tracker <report@bugs.python.org>
> <http://bugs.python.org/issue1589>
> __________________________________
>

Files
File name	Uploaded
unnamed	janssen, 2007-12-12.20:36:57

History
Date	User	Action	Args
2007-12-12 20:36:59	janssen	set	spambayes_score: 0.0128698 -> 0.012869823 recipients: + janssen, gvanrossum, ahasenack
2007-12-12 20:36:58	janssen	link	issue1589 messages
2007-12-12 20:36:58	janssen	create