danielquinn
commented
7 years ago If cryptography supports everything that pyopenssl does, I'd say switch completely as it's well-supported module. I've used both and prefer the former.
Closed robert-kisteleki closed 7 years ago
danielquinn
commented
7 years ago If cryptography supports everything that pyopenssl does, I'd say switch completely as it's well-supported module. I've used both and prefer the former.
astrikos
commented
7 years ago this is fixed by #81 right?
robert-kisteleki
commented
7 years ago Yes, that was the point of #81
In order to support checks on subject name, one needs to dig into certificate extensions, namely subject alternative name (SAN). Sagan at the moment does not expose certificate extensions to the client.
It seems there are multiple ways going about this.
pyopenssl, which the library currently uses, can enumerate extensions, but it does not parse them, only gives an asn1 blob back. There's an undocumented function named _subjectAltNameString which works, but it's unclear if one can rely on it.
Use the python cryptography module (suggested by @chrisamin) which seems simpler, but it also means either parsing certs twice or replacing current pyopenssl code with it.
Opinions?