Issue #12000: When a SSL certificate has a subjectAltName without any

dNSName entry, ssl.match_hostname() should use the subject's commonName. Patch by Nicolas Bareil.

Issue #12000: When a SSL certificate has a subjectAltName without any
dNSName entry, ssl.match_hostname() should use the subject's commonName. Patch by Nicolas Bareil.
1c86b445 · Antoine Pitrou · 78349b06 · 1c86b445 · 1c86b445 · 1c86b445
Commit 1c86b445 authored May 06, 2011 by Antoine Pitrou
Show whitespace changes
Inline Side-by-side

Showing with 26 additions and 2 deletions

Lib/ssl.py Lib/ssl.py +3 -2

Lib/test/test_ssl.py Lib/test/test_ssl.py +18 -0

Misc/ACKS Misc/ACKS +1 -0

Misc/NEWS Misc/NEWS +4 -0

No files found.
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -122,8 +122,9 @@ def match_hostname(cert, hostname):
            if _dnsname_to_pat(value).match(hostname):
                return
            dnsnames.append(value)
-    if not san:
+    if not dnsnames:
-        # The subject is only checked when subjectAltName is empty
+        # The subject is only checked when there is no dNSName entry
+        # in subjectAltName
        for sub in cert.get('subject', ()):
            for key, value in sub:
                # XXX according to RFC 2818, the most specific Common Name

--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -277,6 +277,24 @@ class BasicSocketTests(unittest.TestCase):
                            (('organizationName', 'Google Inc'),))}
        fail(cert, 'mail.google.com')
+        # No DNS entry in subjectAltName but a commonName
+        cert = {'notAfter': 'Dec 18 23:59:59 2099 GMT',
+                'subject': ((('countryName', 'US'),),
+                            (('stateOrProvinceName', 'California'),),
+                            (('localityName', 'Mountain View'),),
+                            (('commonName', 'mail.google.com'),)),
+                'subjectAltName': (('othername', 'blabla'), )}
+        ok(cert, 'mail.google.com')
+        # No DNS entry subjectAltName and no commonName
+        cert = {'notAfter': 'Dec 18 23:59:59 2099 GMT',
+                'subject': ((('countryName', 'US'),),
+                            (('stateOrProvinceName', 'California'),),
+                            (('localityName', 'Mountain View'),),
+                            (('organizationName', 'Google Inc'),)),
+                'subjectAltName': (('othername', 'blabla'),)}
+        fail(cert, 'google.com')
        # Empty cert / no cert
        self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com')
        self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com')

--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -49,6 +49,7 @@ Luigi Ballabio
 Jeff Balogh
 Matt Bandy
 Michael J. Barber
+Nicolas Bareil
 Chris Barker
 Nick Barnes
 Quentin Barnes

--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -83,6 +83,10 @@ Core and Builtins
 Library
 -------
+- Issue #12000: When a SSL certificate has a subjectAltName without any
+  dNSName entry, ssl.match_hostname() should use the subject's commonName.
+  Patch by Nicolas Bareil.
 - Issue #11647: objects created using contextlib.contextmanager now support
  more than one call to the function when used as a decorator. Initial patch
  by Ysj Ray.