New submission from Jeffrey Walton:
The Python wiki page on SSL states (https://wiki.python.org/moin/SSL):
To validate that a certificate matches requested site,
you need to check commonName field in the subject of
the certificate.
I don't think its quite correct.
Both the IETF and the CA/B Forums deprecated the use of a hostname or IP
address in the commonName (CN). All hostnames and IP addresses must be listed
in the subjectAlternateName (SAN), and that's where to look for them.
Though deprecated, placing a name in the CN is not forbidden. In fact, RFC 6125
states the CN should be used as a "last resort" in Section 6.4.4:
Therefore, if and only if the presented identifiers
do not include a DNS-ID, SRV-ID, URI-ID, or any
application-specific identifier types supported by
the client, then the client MAY as a last resort check
for a string whose form matches that of a fully
qualified DNS domain name in a Common Name field of
the subject field (i.e., a CN-ID).
Following the advice on the wiki might lead to a Type II error, where an
otherwise good certificate is rejected. Its not as bad as accepting a bad
certificate, though (by omitting the hostname matching checks).
The IETF deprecated the practice of placing a name in the CN in RFC 6125,
Section 6.4.4. The CA/Browser Forum deprecated a DNS name in the CN in Baseline
Requirements (BR) Section 9.2.2 Subject Common Name Field.
----------
assignee: docs@python
components: Documentation
messages: 240590
nosy: Jeffrey.Walton, docs@python
priority: normal
severity: normal
status: open
title: SSL wiki page, host name matching, CN and SAN
type: enhancement
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue23928>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
