Message58434
(I hope I used the correct component for this report)
http://pypi.python.org/pypi/ssl/
I used the client example shown at
http://docs.python.org/dev/library/ssl.html#client-side-operation to
connect to a bank site called www.realsecureweb.com.br at
200.208.16.101. Its certificate signed by verisign. My OpenSSL has this
CA at /etc/pki/tls/rootcerts/verisign-inc-class-3-public-primary.pem.
The verification works.
If I make up a hostname called something else, like "wwws", and place it
in /etc/hosts pointing to that IP address, the SSL connection should not
be established because that name doesn't match the common name field in
the server certificate. But the SSL module happily connects to it
(excerpt below):
cert = verisign-inc-class-3-public-primary.pem
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ssl_sock = ssl.wrap_socket(s,
ca_certs="/etc/pki/tls/rootcerts/%s" % cert,
cert_reqs=ssl.CERT_REQUIRED)
ssl_sock.connect(('wwws', 443))
print repr(ssl_sock.getpeername())
output:
('200.208.16.101', 443)
('RC4-MD5', 'TLSv1/SSLv3', 128)
{'notAfter': 'Sep 10 23:59:59 2008 GMT',
'subject': ((('countryName', u'BR'),),
(('stateOrProvinceName', u'Sao Paulo'),),
(('localityName', u'Sao Paulo'),),
(('organizationName', u'Banco ABN AMRO Real SA'),),
(('organizationalUnitName', u'TI Internet PF e PJ'),),
(('commonName', u'www.realsecureweb.com.br'),))}
If I now open, say, a firefox window and point it to "https://wwws", it
gives me the expected warning that the hostname doesn't match the
certificate.
I'll attach the verisign CA certificate to make it easier to reproduce
the error. |
|
Date |
User |
Action |
Args |
2007-12-11 15:41:03 | ahasenack | set | spambayes_score: 0.0145522 -> 0.014552157 recipients:
+ ahasenack |
2007-12-11 15:41:03 | ahasenack | set | spambayes_score: 0.0145522 -> 0.0145522 messageid: <1197387663.32.0.0598513497038.issue1589@psf.upfronthosting.co.za> |
2007-12-11 15:41:03 | ahasenack | link | issue1589 messages |
2007-12-11 15:41:01 | ahasenack | create | |
|