Message120122
> So I know the current patch doesn't support IP addresses
Not exactly. The committed patch do not consider IP addresses -
especially not iPAddress entries in subjectAltName. But Python only
distinguishes resolvable names from IP addresses at a very low level. At
the ssl module level the name and IP is considered the same, so we
actually do support IP addresses if specified in commonName or
subjectAltName DNS. We are thus "vulnerable" to this issue. (AFAIK AFAICS)
(It seems like IP in commonName isn't permitted by the RFCs, but I think
it is quite common, especially for self-signed certificates.)
> CVE-2010-3170: http://www.mozilla.org/security/announce/2010/mfsa2010-70.html
For reference, the actual report can be found on
http://www.securityfocus.com/archive/1/513396
FWIW, I don't think it is critical at all. Granted, it is a deviation
from the specification, and that is not good in a security critical
part. But we do not claim to implement the full specification, so I
don't think this deviation makes any difference.
Further, this issue will only have relevance if one the trusted CAs
create invalid certificates. But if the trusted CAs create invalid
certificates the user has lost anyway and things can't get much worse. |
|
Date |
User |
Action |
Args |
2010-11-01 13:07:06 | kiilerix | set | recipients:
+ kiilerix, zooko, janssen, orsenthil, pitrou, giampaolo.rodola, vila, heikki, ahasenack, debatem1, jsamuel, devin, asdfasdfasdfasdfasdfasdfasdf, Ryan.Tucker |
2010-11-01 13:07:04 | kiilerix | link | issue1589 messages |
2010-11-01 13:07:02 | kiilerix | create | |
|