Message135275
Hello Antoine, Steffen,
You are absolutely right about removing the 'not san' part. Here is the
new patch, with tests :
diff -r c22d5b37f6a4 Lib/ssl.py
--- a/Lib/ssl.py Fri May 06 09:31:02 2011 +0300
+++ b/Lib/ssl.py Fri May 06 12:47:14 2011 +0200
@@ -122,8 +122,9 @@
if _dnsname_to_pat(value).match(hostname):
return
dnsnames.append(value)
- if not san:
- # The subject is only checked when subjectAltName is empty
+ if not dnsnames:
+ # The subject is only checked when there is no dNSName entry
+ # in subjectAltName
for sub in cert.get('subject', ()):
for key, value in sub:
# XXX according to RFC 2818, the most specific Common Name
diff -r c22d5b37f6a4 Lib/test/test_ssl.py
--- a/Lib/test/test_ssl.py Fri May 06 09:31:02 2011 +0300
+++ b/Lib/test/test_ssl.py Fri May 06 12:47:14 2011 +0200
@@ -277,6 +277,24 @@
(('organizationName', 'Google Inc'),))}
fail(cert, 'mail.google.com')
+ # No DNS entry in subjectAltName but a commonName
+ cert = {'notAfter': 'Dec 18 23:59:59 2099 GMT',
+ 'subject': ((('countryName', 'US'),),
+ (('stateOrProvinceName', 'California'),),
+ (('localityName', 'Mountain View'),),
+ (('commonName', 'mail.google.com'),)),
+ 'subjectAltName': (('othername', 'blabla'), )}
+ ok(cert, 'mail.google.com')
+
+ # No DNS entry subjectAltName and no commonName
+ cert = {'notAfter': 'Dec 18 23:59:59 2099 GMT',
+ 'subject': ((('countryName', 'US'),),
+ (('stateOrProvinceName', 'California'),),
+ (('localityName', 'Mountain View'),),
+ (('organizationName', 'Google Inc'),)),
+ 'subjectAltName': (('othername', 'blabla'),)}
+ fail(cert, 'google.com')
+
# Empty cert / no cert
self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com')
self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com')
Steffen, I will submit a bug report to Mercurial as soon as this patch is expected to be integrate in py3k. |
|
Date |
User |
Action |
Args |
2011-05-06 10:48:29 | nbareil | set | recipients:
+ nbareil, pitrou, sdaoden |
2011-05-06 10:48:29 | nbareil | set | messageid: <1304678909.24.0.221095868054.issue12000@psf.upfronthosting.co.za> |
2011-05-06 10:48:28 | nbareil | link | issue12000 messages |
2011-05-06 10:48:28 | nbareil | create | |
|