Open quanah opened 1 year ago
It should probably check the common name in the interest of being less likely to be surprising in cases like this, but the CA/B Forum baseline requirements specify that the SAN extension must be present and it must contain a domain name that's had domain control validated by the issuer (see CA/B BRs section 7.1.2.7.12. That is to say, what you ran into with a locally-issued test cert is very unlikely to happen with a certificate issued by a publicly-trusted CA.
That said,people put together local-only certificates all the time, and I do think that in the interest of "be generous in what you accept" this should probably be checking the common name, as well.
I'm using the ssl module in conjunction with the python-ldap3 library. I've found that when setting ssl.CERT_REQUIRED a valid cert fails the hostname check done by the function match_hostname.
The ldap3 code is here https://github.com/cannatag/ldap3/blob/dev/ldap3/core/tls.py#L317
In the error that comes back, we see: