Author kiilerix
Recipients kiilerix, nbareil, pitrou, python-dev, sdaoden
Date 2011-05-06.15:35:10
SpamBayes Score 2.14189e-06
Marked as misclassified No
Message-id <1304696112.22.0.215171112489.issue12000@psf.upfronthosting.co.za>
In-reply-to
Content
In my opinion the RFCs are a bit unclear about how iPAddress subjectAltNames should be handled. (I also don't know if Python currently do the right thing by accepting and matching IP addresses if specified in commonName.)

Until now Python failed to the safe side by not matching on subjectAltName iPAddress but also not falling back to commonName if they were specified. AFAICS, with this change it is possible to create strange certificates that Python would accept when an IP address matched commonName but other implementations would reject because of iPAddress mismatch.

That is probably not a real problem, but I wanted to point it out as the biggest issue I could find with this fix. Nice catch.

We could perhaps add IP addresses to dnsnames even though we don't match on them.
History
Date User Action Args
2011-05-06 15:35:12kiilerixsetrecipients: + kiilerix, pitrou, sdaoden, python-dev, nbareil
2011-05-06 15:35:12kiilerixsetmessageid: <1304696112.22.0.215171112489.issue12000@psf.upfronthosting.co.za>
2011-05-06 15:35:10kiilerixlinkissue12000 messages
2011-05-06 15:35:10kiilerixcreate