Issue #12000: When a SSL certificate has a subjectAltName without any

dNSName entry, ssl.match_hostname() should use the subject's commonName. Patch by Nicolas Bareil.
2025-08-04 00:48:58 +00:00 · 2011-05-06 15:19:49 +02:00 · 2011-05-06 15:19:49 +02:00 · 1c86b44506
commit 1c86b44506
parent 78349b06af
4 changed files with 26 additions and 2 deletions
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@ -122,8 +122,9 @@ def match_hostname(cert, hostname):
            if _dnsname_to_pat(value).match(hostname):
                return
            dnsnames.append(value)
-    if not san:
-        # The subject is only checked when subjectAltName is empty
+    if not dnsnames:
+        # The subject is only checked when there is no dNSName entry
+        # in subjectAltName
        for sub in cert.get('subject', ()):
            for key, value in sub:
                # XXX according to RFC 2818, the most specific Common Name