Check alternative subject names.
This commit is contained in:
parent
094e3117c4
commit
ec07491578
18
av98.py
18
av98.py
|
@ -665,10 +665,24 @@ Slow internet connection? Use 'set timeout' to be more patient.""")
|
||||||
elif c.not_valid_after <= now:
|
elif c.not_valid_after <= now:
|
||||||
raise CertificateError("Certificate expired as of: {})!".format(c.not_valid_after))
|
raise CertificateError("Certificate expired as of: {})!".format(c.not_valid_after))
|
||||||
|
|
||||||
# Check certificate hostname
|
# Check certificate hostnames
|
||||||
# TODO: Check alternative names too
|
names = []
|
||||||
common_name = c.subject.get_attributes_for_oid(x509.oid.NameOID.COMMON_NAME)[0].value
|
common_name = c.subject.get_attributes_for_oid(x509.oid.NameOID.COMMON_NAME)[0].value
|
||||||
|
names.append(common_name)
|
||||||
|
try:
|
||||||
|
names.extend([alt.value for alt in c.extensions.get_extension_for_oid(x509.oid.ExtensionOID.SUBJECT_ALTERNATIVE_NAME).value])
|
||||||
|
except x509.ExtensionNotFound:
|
||||||
|
pass
|
||||||
|
names = set(names)
|
||||||
|
for name in names:
|
||||||
|
try:
|
||||||
ssl._dnsname_match(common_name, host)
|
ssl._dnsname_match(common_name, host)
|
||||||
|
break
|
||||||
|
except CertificateError:
|
||||||
|
continue
|
||||||
|
else:
|
||||||
|
# If we didn't break out, none of the names were valid
|
||||||
|
raise CertificateError("Hostname does not match certificate common name or any alternative names.")
|
||||||
|
|
||||||
sha = hashlib.sha256()
|
sha = hashlib.sha256()
|
||||||
sha.update(cert)
|
sha.update(cert)
|
||||||
|
|
Loading…
Reference in New Issue