Remove the fallback on commonName in match hostname function.

urllib3 · Dec 16, 2020 · e9d219c · e9d219c
1 parent ceaf7d3
commit e9d219c
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 40 deletions.
diff --git a/src/urllib3/packages/ssl_match_hostname/_implementation.py b/src/urllib3/packages/ssl_match_hostname/_implementation.py
@@ -125,17 +125,6 @@ def match_hostname(cert, hostname):
             if host_ip is not None and _ipaddress_match(value, host_ip):
                 return
             dnsnames.append(value)
-    if not dnsnames:
-        # The subject is only checked when there is no dNSName entry
-        # in subjectAltName
-        for sub in cert.get("subject", ()):
-            for key, value in sub:
-                # XXX according to RFC 2818, the most specific Common Name
-                # must be used.
-                if key == "commonName":
-                    if _dnsname_match(value, hostname):
-                        return
-                    dnsnames.append(value)
     if len(dnsnames) > 1:
         raise CertificateError(
             "hostname %r "
@@ -145,5 +134,5 @@ def match_hostname(cert, hostname):
         raise CertificateError(f"hostname {hostname!r} doesn't match {dnsnames[0]!r}")
     else:
         raise CertificateError(
-            "no appropriate commonName or subjectAltName fields were found"
+            "no appropriate subjectAltName fields were found"
         )
diff --git a/test/conftest.py b/test/conftest.py
@@ -75,20 +75,6 @@ def ip_san_server(tmp_path_factory):
         yield cfg
 
 
-@pytest.fixture
-def ipv6_addr_server(tmp_path_factory):
-    if not HAS_IPV6:
-        pytest.skip("Only runs on IPv6 systems")
-
-    tmpdir = tmp_path_factory.mktemp("certs")
-    ca = trustme.CA()
-    # IP address in Common Name
-    server_cert = ca.issue_cert(common_name="::1")
-
-    with run_server_in_thread("https", "::1", tmpdir, ca, server_cert) as cfg:
-        yield cfg
-
-
 @pytest.fixture
 def ipv6_san_server(tmp_path_factory):
     if not HAS_IPV6:

diff --git a/test/contrib/test_pyopenssl.py b/test/contrib/test_pyopenssl.py
@@ -34,7 +34,6 @@ def teardown_module():
 from ..with_dummyserver.test_https import (  # noqa: E402, F401
     TestHTTPS,
     TestHTTPS_IPSAN,
-    TestHTTPS_IPv6Addr,
     TestHTTPS_IPV6SAN,
     TestHTTPS_NoSAN,
     TestHTTPS_TLSv1,

diff --git a/test/with_dummyserver/test_https.py b/test/with_dummyserver/test_https.py
@@ -816,19 +816,6 @@ def test_can_validate_ip_san(self, ip_san_server):
             assert r.status == 200
 
 
-class TestHTTPS_IPv6Addr:
-    def test_strip_square_brackets_before_validating(self, ipv6_addr_server):
-        """Test that the fix for #760 works."""
-        with HTTPSConnectionPool(
-            "[::1]",
-            ipv6_addr_server.port,
-            cert_reqs="CERT_REQUIRED",
-            ca_certs=ipv6_addr_server.ca_certs,
-        ) as https_pool:
-            r = https_pool.request("GET", "/")
-            assert r.status == 200
-
-
 class TestHTTPS_IPV6SAN:
     def test_can_validate_ipv6_san(self, ipv6_san_server):
         """Ensure that urllib3 can validate SANs with IPv6 addresses in them."""
@@ -845,3 +832,14 @@ def test_can_validate_ipv6_san(self, ipv6_san_server):
         ) as https_pool:
             r = https_pool.request("GET", "/")
             assert r.status == 200
+
+    def test_strip_square_brackets_before_validating(self, ipv6_san_server):
+        """Test that the fix for #760 works."""
+        with HTTPSConnectionPool(
+            "[::1]",
+            ipv6_san_server.port,
+            cert_reqs="CERT_REQUIRED",
+            ca_certs=ipv6_san_server.ca_certs,
+        ) as https_pool:
+            r = https_pool.request("GET", "/")
+            assert r.status == 200