This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author noxxi
Recipients noxxi
Date 2016-12-11.20:14:25
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1481487266.54.0.545771157838.issue28938@psf.upfronthosting.co.za>
In-reply-to
Content 
from Lib/ssl.py

303        elif key == 'IP Address':
304            if host_ip is not None and _ipaddress_match(value, host_ip):
305                return
306            dnsnames.append(value)
307    if not dnsnames:
308        # The subject is only checked when there is no dNSName entry
309        # in subjectAltName

RFC 2818 and RFC 6125 say that CN should not be used if subjectAltNames contains DNS names. This means CN should still be checked if SAN contains only IP addresses. By appending IP address to dnsnames in line 306 it will not check the CN if there are no DNS names in SAN but only IP address.

See also http://stackoverflow.com/questions/41089539/authentication-issue-with-ssl-certificate-using-python-requests-lib/41090559#41090559
History
Date User Action Args
2016-12-11 20:14:26noxxisetrecipients: + noxxi
2016-12-11 20:14:26noxxisetmessageid: <1481487266.54.0.545771157838.issue28938@psf.upfronthosting.co.za>
2016-12-11 20:14:26noxxilinkissue28938 messages
2016-12-11 20:14:25noxxicreate