Mercurial > hg
comparison mercurial/sslutil.py @ 14666:27b080aa880a
sslutil: fall back to commonName when no dNSName in subjectAltName (issue2798)
Any entries in subjectAltName would prevent fallback to using commonName, but
RFC 2818 says:
If a subjectAltName extension of type dNSName is present, that MUST
be used as the identity. Otherwise, the (most specific) Common Name
field in the Subject field of the certificate MUST be used.
We now only consider dNSNames in subjectAltName.
(dNSName is known as 'DNS' in OpenSSL/Python.)
| author | Nicolas Bareil <nico@chdir.org> |
|---|---|
| date | Sat, 18 Jun 2011 01:03:03 +0200 |
| parents | 64dfbe576455 |
| children | 8f12dac18d13 |
comparison
equal
deleted
inserted
replaced
| 14665:d89f80898178 | 14666:27b080aa880a |
|---|---|
| 46 if san: | 46 if san: |
| 47 certnames = [value.lower() for key, value in san if key == 'DNS'] | 47 certnames = [value.lower() for key, value in san if key == 'DNS'] |
| 48 for name in certnames: | 48 for name in certnames: |
| 49 if matchdnsname(name): | 49 if matchdnsname(name): |
| 50 return None | 50 return None |
| 51 return _('certificate is for %s') % ', '.join(certnames) | 51 if certnames: |
| 52 return _('certificate is for %s') % ', '.join(certnames) | |
| 52 | 53 |
| 53 # subject is only checked when subjectAltName is empty | 54 # subject is only checked when subjectAltName is empty |
| 54 for s in cert.get('subject', []): | 55 for s in cert.get('subject', []): |
| 55 key, value = s[0] | 56 key, value = s[0] |
| 56 if key == 'commonName': | 57 if key == 'commonName': |