Bug 830190 - python-httplib2 failed to verify certificate with only one element in subjectAltName,dns
python-httplib2 failed to verify certificate with only one element in subject...
Status: CLOSED DUPLICATE of bug 832344
Product: Fedora EPEL
Classification: Fedora
Component: python-httplib2 (Show other bugs)
noarch Linux
unspecified Severity medium
: ---
: ---
Assigned To: Andreas Bierfert
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2012-06-08 09:49 EDT by Jose Castro Leon
Modified: 2012-06-21 04:28 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-06-21 04:28:06 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jose Castro Leon 2012-06-08 09:49:30 EDT
Description of problem:
After applying patch suggested in issue 208 for httplib2, the hostname check fails if the dns name is only one element. The patch suggested returns a string instead of an array and then the validation fails. Working without applying this patch (#208)

Version-Release number of selected component (if applicable):

How reproducible:
100% Reproducible while connecting to a server with certificate with only one dns entry

Steps to Reproduce:
1. Server with SSL configured with only onw DNS entry as shown in results
2. open httplib connection using ssl
Actual results:
Authorization Failed: Unable to communicate with identity service:
Server presented certificate that does not match host keystonessl.cern.ch: {'notAfter': 'Jun  7 06:45:20 2013 GMT', 'subjectAltName': (('DNS', 'keystonessl.cern.ch'),), 'subject': ((('domainComponent', u'ch'),), (('domainComponent', u'cern'),), (('organizationalUnitName', u'computers'),), (('commonName', u'keystonessl.cern.ch'),))}. (HTTP 400)

Expected results:
Authorization Succeed

Additional info:

@@ -942,11 +942,12 @@ class HTTPSConnectionWithTimeout(httplib
           list: A list of valid host globs.
         if 'subjectAltName' in cert:
             for x in cert['subjectAltName']:
                 if x[0].lower() == 'dns':
                      return x[1]       <----- if only one element return a string
         return [x[0][1] for x in cert['subject']
                 if x[0][0].lower() == 'commonname']
Comment 1 Ding-Yi Chen 2012-06-21 04:28:06 EDT

*** This bug has been marked as a duplicate of bug 832344 ***

Note You need to log in before you can comment on or make changes to this bug.