[issue2798] SSL certificate verification failed if no dNSName entry in subjectAltName
Nicolas Bareil
bugs at mercurial.selenic.com
Fri May 6 14:10:23 UTC 2011
New submission from Nicolas Bareil <nico at chdir.org>:
When connecting to a HTTPS server, the certificate verification failed if
it has a subjectAltName extension without any dNSName entry inside: it
should fallback to the Common Name.
Mercurial's _verifycert() was based on the py3k implementation which was
fixed today (More details there: http://bugs.python.org/issue12000)
The patch should look like this (not tested, sorry):
diff -r d62d597b8974 mercurial/sslutil.py
--- a/mercurial/sslutil.py Thu May 05 18:05:24 2011 +0200
+++ b/mercurial/sslutil.py Fri May 06 16:08:50 2011 +0200
@@ -46,7 +46,8 @@
for name in certnames:
if matchdnsname(name):
return None
- return _('certificate is for %s') % ', '.join(certnames)
+ if certnames:
+ return _('certificate is for %s') % ', '.join(certnames)
# subject is only checked when subjectAltName is empty
for s in cert.get('subject', []):
diff -r d62d597b8974 tests/test-url.py
--- a/tests/test-url.py Thu May 05 18:05:24 2011 +0200
+++ b/tests/test-url.py Fri May 06 16:08:50 2011 +0200
@@ -33,6 +33,12 @@
None)
check(_verifycert(san_cert, 'foo.example.net'),
None)
+
+# no dNSName in subjectAltName
+san_cert = {'subject': ((('commonName', 'example.com'),),),
+ 'subjectAltName': (('other', '*.example.net'),)}
+check(_verifycert(san_cert, 'example.com'), None)
+
# subject is only checked when subjectAltName is empty
check(_verifycert(san_cert, 'example.com'),
'certificate is for *.example.net, example.net')
----------
messages: 16212
nosy: nbareil
priority: bug
status: unread
title: SSL certificate verification failed if no dNSName entry in subjectAltName
____________________________________________________
Mercurial issue tracker <bugs at mercurial.selenic.com>
<http://mercurial.selenic.com/bts/issue2798>
____________________________________________________
More information about the Mercurial-devel
mailing list