* anarcat <anar...@debian.org>, 2016-02-09, 09:33:
This is typical of Python apps that depend only on urllib and so on.
Not really. Python's stdlib supports SNI since 2.7.9, which was the
first version that enabled certificate verification by default, and
what's in jessie.
Here the culrprit is httplib2:
$ python -c 'import urllib; urllib.urlopen("https://blog.windfluechter.net/";).read()'
&& echo yay
yay
$ python -c 'import httplib2;
httplib2.Http().request("https://blog.windfluechter.net/";)'
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1607, in
request
(response, content) = self._request(conn, authority, uri, request_uri,
method, body, headers, redirections, cachekey)
File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1349, in
_request
(response, content) = self._conn_request(conn, request_uri, method, body,
headers)
File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1271, in
_conn_request
conn.connect()
File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1046, in
connect
'host %s: %s' % (hostname, cert), hostname, cert)
httplib2.CertificateHostnameMismatch: Server presented certificate that does not match host
blog.windfluechter.net: {'subjectAltName': (('DNS', 'abi94oesede.de'), ('DNS',
'www.abi94oesede.de')), 'notBefore': u'Jan 26 18:05:00 2016 GMT', 'caIssuers':
(u'http://cert.int-x1.letsencrypt.org/',), 'OCSP': (u'http://ocsp.int-x1.letsencrypt.org/',),
'serialNumber': u'01839A051BF9D2873C0A3BAA9FD0227C54D1', 'notAfter': 'Apr 25 18:05:00 2016 GMT',
'version': 3L, 'subject': ((('commonName', u'abi94oesede.de'),),), 'issuer': ((('countryName',
u'US'),), (('organizationName', u"Let's Encrypt"),), (('commonName', u"Let's Encrypt
Authority X1"),))}
--
Jakub Wilk
