Mads Kiilerich <m...@kiilerich.com> added the comment: > So I know the current patch doesn't support IP addresses
Not exactly. The committed patch do not consider IP addresses - especially not iPAddress entries in subjectAltName. But Python only distinguishes resolvable names from IP addresses at a very low level. At the ssl module level the name and IP is considered the same, so we actually do support IP addresses if specified in commonName or subjectAltName DNS. We are thus "vulnerable" to this issue. (AFAIK AFAICS) (It seems like IP in commonName isn't permitted by the RFCs, but I think it is quite common, especially for self-signed certificates.) > CVE-2010-3170: http://www.mozilla.org/security/announce/2010/mfsa2010-70.html For reference, the actual report can be found on http://www.securityfocus.com/archive/1/513396 FWIW, I don't think it is critical at all. Granted, it is a deviation from the specification, and that is not good in a security critical part. But we do not claim to implement the full specification, so I don't think this deviation makes any difference. Further, this issue will only have relevance if one the trusted CAs create invalid certificates. But if the trusted CAs create invalid certificates the user has lost anyway and things can't get much worse. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue1589> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
