[Python-Dev] frozenset C API? (original) (raw)
Bill Janssen janssen at parc.com
Wed Sep 12 20:12:24 CEST 2007
- Previous message: [Python-Dev] frozenset C API?
- Next message: [Python-Dev] SSL certs
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> By the way, I think the hostname matching provisions of 2818 (which > is, after all, only an informational RFC, not a standard) are poorly > thought out. Many machines have more hostnames than you can shake a > stick at, and often provide certs with the wrong hostname in them > (usually because they have no way to determine what the right > hostname is, from inside that machine).
...which is why you pretty much need to have a canonical hostname mapped to each IP you're using on a machine. Basically, you need to map the hostname you intend to use to an IP, then do reverse-DNS to find out whether the hostname is in fact the canonical hostname. If not, you're using the wrong hostname on your cert.
Yep. The problem is having a particular service know which certificate it should choose to use, and also to know when the network connectivity has changed. Usually, server ports are bound to wildcard IP addresses, so that they can still be reached even if the network connectivity changes (particularly true for servers running on laptops, or the Python server I'm running on my iPhone). The server has no way of knowing which IP address the client knows it as, and no way of knowing which of its multiple certificates to present, so that the name in the cert will match the name the client thought it was using.
Or am I wrong? Is there some interface in the socket API which gives this information?
Bill
- Previous message: [Python-Dev] frozenset C API?
- Next message: [Python-Dev] SSL certs
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]