New submission from Christian Heimes: The ssl.match_hostname() function does not conform to RFC 6125 because it can fall back to Subject CN when a cert has no dNSName SAN (subject alternative name) but a SRVName otherName SAN or URI SAN.
--- https://tools.ietf.org/search/rfc6125#section-6.4.4 6.4.4. Checking of Common Names As noted, a client MUST NOT seek a match for a reference identifier of CN-ID if the presented identifiers include a DNS-ID, SRV-ID, URI-ID, or any application-specific identifier types supported by the client. --- For now it's not a security problem because no public CA in the CA/Browser Forum is allowed to issue certs with SRV-ID or URI-ID. I checked a couple of libraries and browers. OpenSSL, NSS/Firefox, GnuTLS, embedtls (Polar) and libcurl don't check for the present of SRV-ID or URI-ID either. Only Hynek's service_identity package follows the RFC to the letter. #28191 adds the ability to fetch SRV-ID entries. ---------- assignee: christian.heimes components: SSL messages: 276882 nosy: christian.heimes priority: normal severity: normal stage: test needed status: open title: ssl.match_hostname() should check for SRV-ID and URI-ID type: behavior versions: Python 2.7, Python 3.5, Python 3.6, Python 3.7 _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue28196> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
