Message 282950 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	noxxi
Recipients	Lukasa, alex, christian.heimes, dstufft, janssen, noxxi
Date	2016-12-11.21:39:38
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<20161211213937.GA30708@chksum.de>
In-reply-to	<1481487992.63.0.371073571396.issue28938@psf.upfronthosting.co.za>

Content
On Sun, Dec 11, 2016 at 08:26:32PM +0000, Christian Heimes <report@bugs.python.org> wrote: > > Christian Heimes added the comment: > > Python's implementation of host name verification conforms to RFC 6125, section 6.4.4. The CN check is optional (MAY). Python treats the presence of an IP Address as indicator that CN check should not be performed. RFC 6125 does not obsolete RFC 2818. In fact it says in section 1.4: This document also does not supersede the rules for verifying service identity provided in specifications for existing application protocols published prior to this document, such as those excerpted under Appendix B... Where Appendix B.2 explicitly cites the relevant parts from RFC 2818 like this in section 3.1: If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Thus while RFC 6125 might say MAY for checking the CN the more specific RFC 2818 says clearly MUST. Also, the intention of RFC 6125 in 6.4.4 is in my opinion to distinguish between applications never checking the CN and applications which check the CN, while addressing the last ones that CN should not be checked for specific SAN record types. iPAddress is not a type which is considered for this special treatment. Regards, Steffen

On Sun, Dec 11, 2016 at 08:26:32PM +0000, Christian Heimes <report@bugs.python.org> wrote:
> 
> Christian Heimes added the comment:
> 
> Python's implementation of host name verification conforms to RFC 6125, section 6.4.4. The CN check is optional (MAY). Python treats the presence of an IP Address as indicator that CN check should not be performed. 

RFC 6125 does not obsolete RFC 2818. In fact it says in section 1.4:

   This document also does not supersede the rules for verifying service
   identity provided in specifications for existing application
   protocols published prior to this document, such as those excerpted
   under Appendix B...

Where Appendix B.2 explicitly cites the relevant parts from RFC 2818 like this
in section 3.1:

  If a subjectAltName extension of type dNSName is present, that MUST
  be used as the identity. Otherwise, the (most specific) Common Name
  field in the Subject field of the certificate MUST be used.

Thus while RFC 6125 might say MAY for checking the CN the more specific RFC
2818 says clearly MUST. Also, the intention of RFC 6125 in 6.4.4 is in my
opinion to distinguish between applications never checking the CN and
applications which check the CN, while addressing the last ones that CN
should not be checked for specific SAN record types. iPAddress is not a type
which is considered for this special treatment.

Regards,
Steffen

History
Date	User	Action	Args
2016-12-11 21:39:39	noxxi	set	recipients: + noxxi, janssen, christian.heimes, alex, dstufft, Lukasa
2016-12-11 21:39:39	noxxi	link	issue28938 messages
2016-12-11 21:39:38	noxxi	create