[Python-apps-team] Bug#813313: [planet-venus] planet-venus fails on SNI enabled websites

Antoine Beaupré anarcat at debian.org
Wed Feb 10 18:27:32 UTC 2016


On 2016-02-10 13:11:39, Andreas Metzler wrote:
> Just out of interest: Am I looking wrong or is blog.windfluechter.net
> making strange use of SNI, having a single SNI that is identical with
> the CN?

That doesn't seem so strange to me...

Furthermore, the canonical test host for SNI makes httplib fail as well:

$ python -c 'import httplib2; httplib2.Http().request("https://sni.velox.ch/")'
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1592, in request
    (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
  File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1334, in _request
    (response, content) = self._conn_request(conn, request_uri, method, body, headers)
  File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1256, in _conn_request
    conn.connect()
  File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1031, in connect
    'host %s: %s' % (hostname, cert), hostname, cert)
httplib2.CertificateHostnameMismatch: Server presented certificate that does not match host sni.velox.ch: {'crlDistributionPoints': (u'http://crl.quovadisglobal.com/qvsslg2.crl',), 'subjectAltName': (('DNS', 'alice.sni.velox.ch'), ('DNS', 'carol.sni.velox.ch')), 'notBefore': u'Apr 21 17:30:43 2014 GMT', 'caIssuers': (u'http://trust.quovadisglobal.com/qvsslg2.crt',), 'OCSP': (u'http://ocsp.quovadisglobal.com',), 'serialNumber': u'398C82B54E24FA61DB9CF244AACDEFD21A0544E2', 'notAfter': 'Apr 21 17:30:42 2017 GMT', 'version': 3L, 'subject': ((('countryName', u'CH'),), (('stateOrProvinceName', u'Zuerich'),), (('localityName', u'Zuerich'),), (('organizationName', u'Kaspar Brand'),), (('commonName', u'alice.sni.velox.ch'),)), 'issuer': ((('countryName', u'BM'),), (('organizationName', u'QuoVadis Limited'),), (('commonName', u'QuoVadis Global SSL ICA G2'),))}

That, at the very least, should be fixed.

a.
-- 
The problem is not a lack of highly educated workers, the problem is a
lack of highly educated workers willing to work for the minimum wage or
lower in the U.S. Costs are driving outsourcing, not the quality of
American schools.       - Scott Kirwin, IT Professionals Association



More information about the Python-apps-team mailing list