Christian Heimes added the comment: OpenSSL's print() functions fail to handle the NULL byte in subjectAltName (SAN) general names as they use strlen() or printf() functions with "%s" format char. The subject and issuer elements with NULL bytes are handled correctly by OpenSSL.
wget and curl combine CN / SAN parsing and hostname matching in one function. Both report an error when they see a NULL byte in a dNSName (strlen(dNSName) != lengtt of ASN1_STRING). Python has separate functions for retrieving the X.509 information and matching a hostname against CN / SAN. I like to keep it that way and just for our parsing code in this bug. Latter ssl.match_hostname() can check for NULL bytes and raise an exception, but that's a different issue. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue18709> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
