Bug 830190 - python-httplib2 failed to verify certificate with only one element in subjectAltName,dns
Summary: python-httplib2 failed to verify certificate with only one element in subject...
Keywords:
Status: CLOSED DUPLICATE of bug 832344
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: python-httplib2
Version: el6
Hardware: noarch
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Andreas Bierfert
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-06-08 13:49 UTC by Jose Castro Leon
Modified: 2012-06-21 08:28 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2012-06-21 08:28:06 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Jose Castro Leon 2012-06-08 13:49:30 UTC
Description of problem:
After applying patch suggested in issue 208 for httplib2, the hostname check fails if the dns name is only one element. The patch suggested returns a string instead of an array and then the validation fails. Working without applying this patch (#208)

Version-Release number of selected component (if applicable):
python-httplib2

How reproducible:
100% Reproducible while connecting to a server with certificate with only one dns entry

Steps to Reproduce:
1. Server with SSL configured with only onw DNS entry as shown in results
2. open httplib connection using ssl
3.
  
Actual results:
Authorization Failed: Unable to communicate with identity service:
Server presented certificate that does not match host keystonessl.cern.ch: {'notAfter': 'Jun  7 06:45:20 2013 GMT', 'subjectAltName': (('DNS', 'keystonessl.cern.ch'),), 'subject': ((('domainComponent', u'ch'),), (('domainComponent', u'cern'),), (('organizationalUnitName', u'computers'),), (('commonName', u'keystonessl.cern.ch'),))}. (HTTP 400)

Expected results:
Authorization Succeed

Additional info:

@@ -942,11 +942,12 @@ class HTTPSConnectionWithTimeout(httplib
           list: A list of valid host globs.
         """
         if 'subjectAltName' in cert:
             for x in cert['subjectAltName']:
                 if x[0].lower() == 'dns':
                      return x[1]       <----- if only one element return a string
         return [x[0][1] for x in cert['subject']
                 if x[0][0].lower() == 'commonname']

Comment 1 Ding-Yi Chen 2012-06-21 08:28:06 UTC

*** This bug has been marked as a duplicate of bug 832344 ***


Note You need to log in before you can comment on or make changes to this bug.