Author ahasenack
Recipients ahasenack
Date 2007-12-11.15:41:01
SpamBayes Score 0.0145522
Marked as misclassified No
Message-id <1197387663.32.0.0598513497038.issue1589@psf.upfronthosting.co.za>
In-reply-to
Content
(I hope I used the correct component for this report)

http://pypi.python.org/pypi/ssl/

I used the client example shown at
http://docs.python.org/dev/library/ssl.html#client-side-operation to
connect to a bank site called www.realsecureweb.com.br at
200.208.16.101. Its certificate signed by verisign. My OpenSSL has this
CA at /etc/pki/tls/rootcerts/verisign-inc-class-3-public-primary.pem.
The verification works.

If I make up a hostname called something else, like "wwws", and place it
in /etc/hosts pointing to that IP address, the SSL connection should not
be established because that name doesn't match the common name field in
the server certificate. But the SSL module happily connects to it
(excerpt below):

cert = verisign-inc-class-3-public-primary.pem
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ssl_sock = ssl.wrap_socket(s,
           ca_certs="/etc/pki/tls/rootcerts/%s" % cert,
           cert_reqs=ssl.CERT_REQUIRED)
ssl_sock.connect(('wwws', 443))
print repr(ssl_sock.getpeername())

output:
('200.208.16.101', 443)
('RC4-MD5', 'TLSv1/SSLv3', 128)
{'notAfter': 'Sep 10 23:59:59 2008 GMT',
 'subject': ((('countryName', u'BR'),),
             (('stateOrProvinceName', u'Sao Paulo'),),
             (('localityName', u'Sao Paulo'),),
             (('organizationName', u'Banco ABN AMRO Real SA'),),
             (('organizationalUnitName', u'TI Internet PF e PJ'),),
             (('commonName', u'www.realsecureweb.com.br'),))}

If I now open, say, a firefox window and point it to "https://wwws", it
gives me the expected warning that the hostname doesn't match the
certificate.

I'll attach the verisign CA certificate to make it easier to reproduce
the error.
Files
File name Uploaded
verisign-inc-class-3-public-primary.pem ahasenack, 2007-12-11.15:41:01
History
Date User Action Args
2007-12-11 15:41:03ahasenacksetspambayes_score: 0.0145522 -> 0.0145522
recipients: + ahasenack
2007-12-11 15:41:03ahasenacksetspambayes_score: 0.0145522 -> 0.0145522
messageid: <1197387663.32.0.0598513497038.issue1589@psf.upfronthosting.co.za>
2007-12-11 15:41:03ahasenacklinkissue1589 messages
2007-12-11 15:41:01ahasenackcreate