Author kiilerix
Recipients Ryan.Tucker, ahasenack, asdfasdfasdfasdfasdfasdfasdf, debatem1, devin, giampaolo.rodola, heikki, janssen, jsamuel, kiilerix, orsenthil, pitrou, vila, zooko
Date 2010-11-01.13:07:02
SpamBayes Score 0.000164352
Marked as misclassified No
Message-id <>
In-reply-to <>
> So I know the current patch doesn't support IP addresses

Not exactly. The committed patch do not consider IP addresses - 
especially not iPAddress entries in subjectAltName. But Python only 
distinguishes resolvable names from IP addresses at a very low level. At 
the ssl module level the name and IP is considered the same, so we 
actually do support IP addresses if specified in commonName or 
subjectAltName DNS. We are thus "vulnerable" to this issue. (AFAIK AFAICS)

(It seems like IP in commonName isn't permitted by the RFCs, but I think 
it is quite common, especially for self-signed certificates.)

> CVE-2010-3170:

For reference, the actual report can be found on

FWIW, I don't think it is critical at all. Granted, it is a deviation 
from the specification, and that is not good in a security critical 
part. But we do not claim to implement the full specification, so I 
don't think this deviation makes any difference.

Further, this issue will only have relevance if one the trusted CAs 
create invalid certificates. But if the trusted CAs create invalid 
certificates the user has lost anyway and things can't get much worse.
Date User Action Args
2010-11-01 13:07:06kiilerixsetrecipients: + kiilerix, zooko, janssen, orsenthil, pitrou, giampaolo.rodola, vila, heikki, ahasenack, debatem1, jsamuel, devin, asdfasdfasdfasdfasdfasdfasdf, Ryan.Tucker
2010-11-01 13:07:04kiilerixlinkissue1589 messages
2010-11-01 13:07:02kiilerixcreate