This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: SSL wiki page, host name matching, CN and SAN
Type: enhancement Stage: resolved
Components: Documentation Versions:
Status: closed Resolution: wont fix
Dependencies: Superseder:
Assigned To: docs@python Nosy List: Jeffrey.Walton, docs@python, pitrou
Priority: normal Keywords:

Created on 2015-04-13 07:17 by Jeffrey.Walton, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Messages (4)
msg240590 - (view) Author: Jeffrey Walton (Jeffrey.Walton) * Date: 2015-04-13 07:17
The Python wiki page on SSL states (

    To validate that a certificate matches requested site,
    you need to check commonName field in the subject of
    the certificate.

I don't think its quite correct.

Both the IETF and the CA/B Forums deprecated the use of a hostname or IP address in the commonName (CN). All hostnames and IP addresses must be listed in the subjectAlternateName (SAN), and that's where to look for them.

Though deprecated, placing a name in the CN is not forbidden. In fact, RFC 6125 states the CN should be used as a "last resort" in Section 6.4.4:

    Therefore, if and only if the presented identifiers
    do not include a DNS-ID, SRV-ID, URI-ID, or any
    application-specific identifier types supported by
    the client, then the client MAY as a last resort check
    for a string whose form matches that of a fully
    qualified DNS domain name in a Common Name field of
    the subject field (i.e., a CN-ID). 

Following the advice on the wiki might lead to a Type II error, where an otherwise good certificate is rejected. Its not as bad as accepting a bad certificate, though (by omitting the hostname matching checks).

The IETF deprecated the practice of placing a name in the CN in RFC 6125, Section 6.4.4. The CA/Browser Forum deprecated a DNS name in the CN in Baseline Requirements (BR) Section 9.2.2 Subject Common Name Field.
msg240600 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2015-04-13 11:21
Thanks for the report; your remarks are obviously true. Unfortunately, the wiki is community-maintained, there's not much point in reporting bugs here about it. That page's contents look very outdated, by the way.

The official documentation for the ssl module is here:
msg240601 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2015-04-13 11:31
I'm closing this issue since it isn't part of our responsibilites here, sorry.
If you want to see that wiki page fixed, the best is probably to... fix it yourself :-) (it's a wiki after all)

(frankly, I think it should be removed or replaced with a pair of links to the official ssl module and the pyOpenSSL docs)
msg240637 - (view) Author: Jeffrey Walton (Jeffrey.Walton) * Date: 2015-04-13 16:03
> there's not much point in reporting bugs here about it.

Oh, sorry about that.

> That page's contents look very outdated, by the way.

Yeah, there's a few opportunities for improvement.
Date User Action Args
2022-04-11 14:58:15adminsetgithub: 68116
2015-04-13 16:03:06Jeffrey.Waltonsetmessages: + msg240637
2015-04-13 11:31:51pitrousetstatus: open -> closed
resolution: wont fix
messages: + msg240601

stage: resolved
2015-04-13 11:21:22pitrousetnosy: + pitrou
messages: + msg240600
2015-04-13 07:17:28Jeffrey.Waltoncreate