From 1c86b4450689cc9ecef6c99ad8e55bae67931e59 Mon Sep 17 00:00:00 2001
From: Antoine Pitrou <solipsis@pitrou.net>
Date: Fri, 6 May 2011 15:19:49 +0200
Subject: Issue #12000: When a SSL certificate has a subjectAltName without any
 dNSName entry, ssl.match_hostname() should use the subject's commonName.
 Patch by Nicolas Bareil.

---
 Lib/ssl.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'Lib/ssl.py')

diff --git a/Lib/ssl.py b/Lib/ssl.py
index 84aa6dc3bf..e7c175f063 100644
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -122,8 +122,9 @@ def match_hostname(cert, hostname):
             if _dnsname_to_pat(value).match(hostname):
                 return
             dnsnames.append(value)
-    if not san:
-        # The subject is only checked when subjectAltName is empty
+    if not dnsnames:
+        # The subject is only checked when there is no dNSName entry
+        # in subjectAltName
         for sub in cert.get('subject', ()):
             for key, value in sub:
                 # XXX according to RFC 2818, the most specific Common Name
-- 
cgit v1.2.1