Message 120122 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	kiilerix
Recipients	Ryan.Tucker, ahasenack, asdfasdfasdfasdfasdfasdfasdf, debatem1, devin, giampaolo.rodola, heikki, janssen, jsamuel, kiilerix, orsenthil, pitrou, vila, zooko
Date	2010-11-01.13:07:02
SpamBayes Score	0.00016435183
Marked as misclassified	No
Message-id	<4CCEBB70.9050303@kiilerich.com>
In-reply-to	<1288583145.3.0.287732339061.issue1589@psf.upfronthosting.co.za>

Content
> So I know the current patch doesn't support IP addresses Not exactly. The committed patch do not consider IP addresses - especially not iPAddress entries in subjectAltName. But Python only distinguishes resolvable names from IP addresses at a very low level. At the ssl module level the name and IP is considered the same, so we actually do support IP addresses if specified in commonName or subjectAltName DNS. We are thus "vulnerable" to this issue. (AFAIK AFAICS) (It seems like IP in commonName isn't permitted by the RFCs, but I think it is quite common, especially for self-signed certificates.) > CVE-2010-3170: http://www.mozilla.org/security/announce/2010/mfsa2010-70.html For reference, the actual report can be found on http://www.securityfocus.com/archive/1/513396 FWIW, I don't think it is critical at all. Granted, it is a deviation from the specification, and that is not good in a security critical part. But we do not claim to implement the full specification, so I don't think this deviation makes any difference. Further, this issue will only have relevance if one the trusted CAs create invalid certificates. But if the trusted CAs create invalid certificates the user has lost anyway and things can't get much worse.

> So I know the current patch doesn't support IP addresses

Not exactly. The committed patch do not consider IP addresses - 
especially not iPAddress entries in subjectAltName. But Python only 
distinguishes resolvable names from IP addresses at a very low level. At 
the ssl module level the name and IP is considered the same, so we 
actually do support IP addresses if specified in commonName or 
subjectAltName DNS. We are thus "vulnerable" to this issue. (AFAIK AFAICS)

(It seems like IP in commonName isn't permitted by the RFCs, but I think 
it is quite common, especially for self-signed certificates.)

> CVE-2010-3170: http://www.mozilla.org/security/announce/2010/mfsa2010-70.html

For reference, the actual report can be found on 
http://www.securityfocus.com/archive/1/513396

FWIW, I don't think it is critical at all. Granted, it is a deviation 
from the specification, and that is not good in a security critical 
part. But we do not claim to implement the full specification, so I 
don't think this deviation makes any difference.

Further, this issue will only have relevance if one the trusted CAs 
create invalid certificates. But if the trusted CAs create invalid 
certificates the user has lost anyway and things can't get much worse.

History
Date	User	Action	Args
2010-11-01 13:07:06	kiilerix	set	recipients: + kiilerix, zooko, janssen, orsenthil, pitrou, giampaolo.rodola, vila, heikki, ahasenack, debatem1, jsamuel, devin, asdfasdfasdfasdfasdfasdfasdf, Ryan.Tucker
2010-11-01 13:07:04	kiilerix	link	issue1589 messages
2010-11-01 13:07:02	kiilerix	create