Nicolas Bareil added the comment:
Martin v. Löwis writes:
>> what do you think about a DeprecationWarning at runtime?
>
> What API exactly should this deprecate?
Ooops, lapsus. I was thinking about a RuntimeWarning raised on HTTPS
request (in httplib.HTTPSConnection.connect
Nicolas Bareil added the comment:
Hello,
Your patch about SSLContext is great! But what can we do about python 2.x?
I understand that we have to keep backward compatibility but something has to
be done for improving current situation, even Paypal API (*) recommends using
urllib.urlopen
Nicolas Bareil added the comment:
Hello Mads
> Until now Python failed to the safe side by not matching on
> subjectAltName iPAddress but also not falling back to commonName
> if they were specified. AFAICS, with this change it is possible to
> create strange certificates that
Nicolas Bareil added the comment:
Hello Antoine, Steffen,
You are absolutely right about removing the 'not san' part. Here is the
new patch, with tests :
diff -r c22d5b37f6a4 Lib/ssl.py
--- a/Lib/ssl.pyFri May 06 09:31:02 2011 +0300
+++ b/Lib/ssl.pyFri May 06 12:
New submission from Nicolas Bareil :
When connecting to a SSL server, the certificate verification failed if
it has a subjectAltName extension without any dNSName entry inside: it
should fallback to the Common Name.
Example:
>>> cert = conn.getpeercert()
>>> cert
