Issue #12000: When a SSL certificate has a subjectAltName without any

dNSName entry, ssl.match_hostname() should use the subject's commonName. Patch by Nicolas Bareil.
2025-08-03 16:39:00 +00:00 · 2011-05-06 15:19:49 +02:00 · 2011-05-06 15:19:49 +02:00 · 1c86b44506
commit 1c86b44506
parent 78349b06af
4 changed files with 26 additions and 2 deletions
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@ -277,6 +277,24 @@ class BasicSocketTests(unittest.TestCase):
                            (('organizationName', 'Google Inc'),))}
        fail(cert, 'mail.google.com')

+        # No DNS entry in subjectAltName but a commonName
+        cert = {'notAfter': 'Dec 18 23:59:59 2099 GMT',
+                'subject': ((('countryName', 'US'),),
+                            (('stateOrProvinceName', 'California'),),
+                            (('localityName', 'Mountain View'),),
+                            (('commonName', 'mail.google.com'),)),
+                'subjectAltName': (('othername', 'blabla'), )}
+        ok(cert, 'mail.google.com')
+
+        # No DNS entry subjectAltName and no commonName
+        cert = {'notAfter': 'Dec 18 23:59:59 2099 GMT',
+                'subject': ((('countryName', 'US'),),
+                            (('stateOrProvinceName', 'California'),),
+                            (('localityName', 'Mountain View'),),
+                            (('organizationName', 'Google Inc'),)),
+                'subjectAltName': (('othername', 'blabla'),)}
+        fail(cert, 'google.com')
+
        # Empty cert / no cert
        self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com')
        self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com')