Issue 23928: SSL wiki page, host name matching, CN and SAN (original) (raw)

Issue23928

Created on 2015-04-13 07:17 by Jeffrey.Walton, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Messages (4)
msg240590 - (view)	Author: Jeffrey Walton (Jeffrey.Walton) *	Date: 2015-04-13 07:17
The Python wiki page on SSL states (https://wiki.python.org/moin/SSL): To validate that a certificate matches requested site, you need to check commonName field in the subject of the certificate. I don't think its quite correct. Both the IETF and the CA/B Forums deprecated the use of a hostname or IP address in the commonName (CN). All hostnames and IP addresses must be listed in the subjectAlternateName (SAN), and that's where to look for them. Though deprecated, placing a name in the CN is not forbidden. In fact, RFC 6125 states the CN should be used as a "last resort" in Section 6.4.4: Therefore, if and only if the presented identifiers do not include a DNS-ID, SRV-ID, URI-ID, or any application-specific identifier types supported by the client, then the client MAY as a last resort check for a string whose form matches that of a fully qualified DNS domain name in a Common Name field of the subject field (i.e., a CN-ID). Following the advice on the wiki might lead to a Type II error, where an otherwise good certificate is rejected. Its not as bad as accepting a bad certificate, though (by omitting the hostname matching checks). The IETF deprecated the practice of placing a name in the CN in RFC 6125, Section 6.4.4. The CA/Browser Forum deprecated a DNS name in the CN in Baseline Requirements (BR) Section 9.2.2 Subject Common Name Field.
msg240600 - (view)	Author: Antoine Pitrou (pitrou) *	Date: 2015-04-13 11:21
Thanks for the report; your remarks are obviously true. Unfortunately, the wiki is community-maintained, there's not much point in reporting bugs here about it. That page's contents look very outdated, by the way. The official documentation for the ssl module is here: https://docs.python.org/3/library/ssl.html
msg240601 - (view)	Author: Antoine Pitrou (pitrou) *	Date: 2015-04-13 11:31
I'm closing this issue since it isn't part of our responsibilites here, sorry. If you want to see that wiki page fixed, the best is probably to... fix it yourself :-) (it's a wiki after all) (frankly, I think it should be removed or replaced with a pair of links to the official ssl module and the pyOpenSSL docs)
msg240637 - (view)	Author: Jeffrey Walton (Jeffrey.Walton) *	Date: 2015-04-13 16:03
> there's not much point in reporting bugs here about it. Oh, sorry about that. > That page's contents look very outdated, by the way. Yeah, there's a few opportunities for improvement.