[PATCH stable] url: fix UnicodeDecodeError on certificate verification error

Mads Kiilerich mads at kiilerich.com
Wed Jan 5 10:20:33 CST 2011


On 01/05/2011 04:44 PM, Yuya Nishihara wrote:
> Mads Kiilerich wrote:
>>> BTW, commonName=*.github.com should match github.com?
>>
>> No.
>
> Hi,
> My understanding was wrong. I just wondered why https://github.com/
> works with the certificate for *.github.com.
> I googled and found it's called as "subject alternative names":
>
> http://www.google.com/search?q=ssl+subject+alternative+names
>
> And the certificate data for github.com are:
> {'subjectAltName': (('DNS', '*.github.com'), ('DNS', 'github.com')),
>   'subject': ((('organizationName', u'*.github.com'),),
>               (('organizationalUnitName', u'Domain Control Validated'),),
>               (('commonName', u'*.github.com'),))}
>
> Maybe we need to handle 'DNS' entry of 'subjectAltName' like a 'commonName'?

Right. We fail to the safe but annoying side. I guess we should start 
using what Python 3 uses: 
http://svn.python.org/view/python/branches/py3k/Lib/ssl.py?view=markup#match_hostname

/Mads


More information about the Mercurial-devel mailing list