The Python wiki page on SSL states (https://wiki.python.org/moin/SSL):
To validate that a certificate matches requested site,
you need to check commonName field in the subject of
the certificate.
I don't think its quite correct.
Both the IETF and the CA/B Forums deprecated the use of a hostname or IP address in the commonName (CN). All hostnames and IP addresses must be listed in the subjectAlternateName (SAN), and that's where to look for them.
Though deprecated, placing a name in the CN is not forbidden. In fact, RFC 6125 states the CN should be used as a "last resort" in Section 6.4.4:
Therefore, if and only if the presented identifiers
do not include a DNS-ID, SRV-ID, URI-ID, or any
application-specific identifier types supported by
the client, then the client MAY as a last resort check
for a string whose form matches that of a fully
qualified DNS domain name in a Common Name field of
the subject field (i.e., a CN-ID).
Following the advice on the wiki might lead to a Type II error, where an otherwise good certificate is rejected. Its not as bad as accepting a bad certificate, though (by omitting the hostname matching checks).
The IETF deprecated the practice of placing a name in the CN in RFC 6125, Section 6.4.4. The CA/Browser Forum deprecated a DNS name in the CN in Baseline Requirements (BR) Section 9.2.2 Subject Common Name Field.
|