Steffen Ullrich added the comment: On Sun, Dec 11, 2016 at 08:26:32PM +0000, Christian Heimes <rep...@bugs.python.org> wrote: > > Christian Heimes added the comment: > > Python's implementation of host name verification conforms to RFC 6125, > section 6.4.4. The CN check is optional (MAY). Python treats the presence of > an IP Address as indicator that CN check should not be performed.
RFC 6125 does not obsolete RFC 2818. In fact it says in section 1.4: This document also does not supersede the rules for verifying service identity provided in specifications for existing application protocols published prior to this document, such as those excerpted under Appendix B... Where Appendix B.2 explicitly cites the relevant parts from RFC 2818 like this in section 3.1: If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Thus while RFC 6125 might say MAY for checking the CN the more specific RFC 2818 says clearly MUST. Also, the intention of RFC 6125 in 6.4.4 is in my opinion to distinguish between applications never checking the CN and applications which check the CN, while addressing the last ones that CN should not be checked for specific SAN record types. iPAddress is not a type which is considered for this special treatment. Regards, Steffen ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue28938> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
