Message282950
On Sun, Dec 11, 2016 at 08:26:32PM +0000, Christian Heimes <report@bugs.python.org> wrote:
>
> Christian Heimes added the comment:
>
> Python's implementation of host name verification conforms to RFC 6125, section 6.4.4. The CN check is optional (MAY). Python treats the presence of an IP Address as indicator that CN check should not be performed.
RFC 6125 does not obsolete RFC 2818. In fact it says in section 1.4:
This document also does not supersede the rules for verifying service
identity provided in specifications for existing application
protocols published prior to this document, such as those excerpted
under Appendix B...
Where Appendix B.2 explicitly cites the relevant parts from RFC 2818 like this
in section 3.1:
If a subjectAltName extension of type dNSName is present, that MUST
be used as the identity. Otherwise, the (most specific) Common Name
field in the Subject field of the certificate MUST be used.
Thus while RFC 6125 might say MAY for checking the CN the more specific RFC
2818 says clearly MUST. Also, the intention of RFC 6125 in 6.4.4 is in my
opinion to distinguish between applications never checking the CN and
applications which check the CN, while addressing the last ones that CN
should not be checked for specific SAN record types. iPAddress is not a type
which is considered for this special treatment.
Regards,
Steffen |
|
Date |
User |
Action |
Args |
2016-12-11 21:39:39 | noxxi | set | recipients:
+ noxxi, janssen, christian.heimes, alex, dstufft, Lukasa |
2016-12-11 21:39:39 | noxxi | link | issue28938 messages |
2016-12-11 21:39:38 | noxxi | create | |
|