This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author christian.heimes
Recipients alex, christian.heimes, dstufft, pitrou, python-dev, r.david.murray, Ádám.Zsigmond
Date 2015-06-02.11:49:19
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
The patch has a couple of issues

1) match_hostname()'s doc string needs to be updated. It still contains "but IP addresses are not accepted for *hostname*"

2) The stdlib uses server_hostname for SNI and matching. An IP address in the SNI TLS extension violates RF 3546

   Literal IPv4 and IPv6 addresses are not permitted in "HostName".

3) The code doesn't match IP addresses in dNSName and DNS names in IP Address fields. Hynek's service identity module and Mozilla's NSS [1] agree with you. As far as I have studied OpenSSL 1.0.2, it has a different opinion. I'm in favor for the current check. I suggest to document the decision in the code and raise a more explicit exception. The current message is a bit confusing:

  ssl.CertificateError: hostname '' doesn't match ''

4) The code doesn't check the CN field for IP address as NSS does. [2]

In order to fix 2) and make the check more explicit I like to suggest an API change. Don't convert the host name to an IP address implicitly. If the user wants to validate an IP address, then she must pass in an ipaddress object as server_hostname. In that case SSLSocket.server_hostname is set to the ipaddress object. socket._wrap_socket() is called with server_hostname=None for ipaddress. That fixes the RFC violation.

[1] cert_VerifySubjectAltName()
[2] CERT_VerifyCertName
Date User Action Args
2015-06-02 11:49:20christian.heimessetrecipients: + christian.heimes, pitrou, alex, r.david.murray, python-dev, dstufft, Ádám.Zsigmond
2015-06-02 11:49:20christian.heimessetmessageid: <>
2015-06-02 11:49:20christian.heimeslinkissue23239 messages
2015-06-02 11:49:19christian.heimescreate