summaryrefslogtreecommitdiffstats
path: root/Lib
diff options
context:
space:
mode:
authorAntoine Pitrou <solipsis@pitrou.net>2011-05-06 13:20:55 (GMT)
committerAntoine Pitrou <solipsis@pitrou.net>2011-05-06 13:20:55 (GMT)
commitff9bfca4827a6ad323c9eff359e34e10655fdc93 (patch)
tree50abe56e6fb9b479202372880c9e938346db812e /Lib
parentb4dc2502ad0a3497a4a6628ab1dd2b1e077ae157 (diff)
parent1c86b4450689cc9ecef6c99ad8e55bae67931e59 (diff)
downloadcpython-ff9bfca4827a6ad323c9eff359e34e10655fdc93.zip
cpython-ff9bfca4827a6ad323c9eff359e34e10655fdc93.tar.gz
cpython-ff9bfca4827a6ad323c9eff359e34e10655fdc93.tar.bz2
Issue #12000: When a SSL certificate has a subjectAltName without any
dNSName entry, ssl.match_hostname() should use the subject's commonName. Patch by Nicolas Bareil.
Diffstat (limited to 'Lib')
-rw-r--r--Lib/ssl.py5
-rw-r--r--Lib/test/test_ssl.py18
2 files changed, 21 insertions, 2 deletions
diff --git a/Lib/ssl.py b/Lib/ssl.py
index 6d3828d..26cdd7b 100644
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -122,8 +122,9 @@ def match_hostname(cert, hostname):
if _dnsname_to_pat(value).match(hostname):
return
dnsnames.append(value)
- if not san:
- # The subject is only checked when subjectAltName is empty
+ if not dnsnames:
+ # The subject is only checked when there is no dNSName entry
+ # in subjectAltName
for sub in cert.get('subject', ()):
for key, value in sub:
# XXX according to RFC 2818, the most specific Common Name
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index 138367b..77adc43 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -277,6 +277,24 @@ class BasicSocketTests(unittest.TestCase):
(('organizationName', 'Google Inc'),))}
fail(cert, 'mail.google.com')
+ # No DNS entry in subjectAltName but a commonName
+ cert = {'notAfter': 'Dec 18 23:59:59 2099 GMT',
+ 'subject': ((('countryName', 'US'),),
+ (('stateOrProvinceName', 'California'),),
+ (('localityName', 'Mountain View'),),
+ (('commonName', 'mail.google.com'),)),
+ 'subjectAltName': (('othername', 'blabla'), )}
+ ok(cert, 'mail.google.com')
+
+ # No DNS entry subjectAltName and no commonName
+ cert = {'notAfter': 'Dec 18 23:59:59 2099 GMT',
+ 'subject': ((('countryName', 'US'),),
+ (('stateOrProvinceName', 'California'),),
+ (('localityName', 'Mountain View'),),
+ (('organizationName', 'Google Inc'),)),
+ 'subjectAltName': (('othername', 'blabla'),)}
+ fail(cert, 'google.com')
+
# Empty cert / no cert
self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com')
self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com')