Commit 9f053941 authored by Stephane Bortzmeyer's avatar Stephane Bortzmeyer
Browse files

Proper test of IP addresses in certificates. Addresses #11

parent 8a2b6ba7
......@@ -179,14 +179,16 @@ object Host "myserver" {
## Installation
You need Python 3, [DNSpython](http://www.dnspython.org/), [PyOpenSSL](https://www.pyopenssl.org/) and
You need Python 3, [DNSpython](http://www.dnspython.org/),
[PyOpenSSL](https://www.pyopenssl.org/),
[netaddr](https://github.com/drkjam/netaddr/) and
[pycurl](http://pycurl.io/docs/latest). You can install them with pip
`pip3 install dnspython pyOpenSSL pycurl`. Then, just run the script
`homer` (or `homer.py`).
`pip3 install dnspython pyOpenSSL netaddr pycurl`. Then, just run the
script `homer` (or `homer.py`).
On Debian, if you prefer regular operating system packages to pip,
`apt install python3 python3-dnspython python3-openssl python3-pycurl` will
install everything you need.
`apt install python3 python3-dnspython python3-openssl python3-netaddr
python3-pycurl` will install everything you need.
## Public servers
......
......@@ -11,6 +11,9 @@ import pycurl
# http://www.dnspython.org/
import dns.message
# https://github.com/drkjam/netaddr/
import netaddr
# Octobre 2019: the Python GnuTLS bindings don't work with Python 3. So we use OpenSSL.
# https://www.pyopenssl.org/
# https://pyopenssl.readthedocs.io/
......@@ -107,11 +110,18 @@ def validate_hostname(hostname, cert):
if hostname == base:
return True
elif alt_name.startswith("IP Address:"):
try:
host_i = netaddr.IPAddress(hostname)
except netaddr.core.AddrFormatError:
continue # If hostname is not an IP address, we cannot use it for comparison
(start, base) = alt_name.split("IP Address:")
base = base.lower()
if base.endswith("\n"):
base = base[:-1]
if hostname == base:
try:
base_i = netaddr.IPAddress(base)
except netaddr.core.AddrFormatError:
continue # Ignore broken IP addresses in certificates. Are we too liberal?
if host_i == base_i:
return True
else:
pass # Ignore unknown alternative name types
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment