Commit 9f053941 authored by Stephane Bortzmeyer's avatar Stephane Bortzmeyer
Browse files

Proper test of IP addresses in certificates. Addresses #11

parent 8a2b6ba7
......@@ -179,14 +179,16 @@ object Host "myserver" {
## Installation
You need Python 3, [DNSpython](, [PyOpenSSL]( and
You need Python 3, [DNSpython](,
[netaddr]( and
[pycurl]( You can install them with pip
`pip3 install dnspython pyOpenSSL pycurl`. Then, just run the script
`homer` (or ``).
`pip3 install dnspython pyOpenSSL netaddr pycurl`. Then, just run the
script `homer` (or ``).
On Debian, if you prefer regular operating system packages to pip,
`apt install python3 python3-dnspython python3-openssl python3-pycurl` will
install everything you need.
`apt install python3 python3-dnspython python3-openssl python3-netaddr
python3-pycurl` will install everything you need.
## Public servers
......@@ -11,6 +11,9 @@ import pycurl
import dns.message
import netaddr
# Octobre 2019: the Python GnuTLS bindings don't work with Python 3. So we use OpenSSL.
......@@ -107,11 +110,18 @@ def validate_hostname(hostname, cert):
if hostname == base:
return True
elif alt_name.startswith("IP Address:"):
host_i = netaddr.IPAddress(hostname)
except netaddr.core.AddrFormatError:
continue # If hostname is not an IP address, we cannot use it for comparison
(start, base) = alt_name.split("IP Address:")
base = base.lower()
if base.endswith("\n"):
base = base[:-1]
if hostname == base:
base_i = netaddr.IPAddress(base)
except netaddr.core.AddrFormatError:
continue # Ignore broken IP addresses in certificates. Are we too liberal?
if host_i == base_i:
return True
pass # Ignore unknown alternative name types
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment