Fix valid host list extraction from cert

Use subject if subjectAltName doesn't contains DNS entries (this could happen with old/broken certs). Now the logic is similar to the one used in Python's SSL match_hostname: https://hg.python.org/cpython/file/2.7/Lib/ssl.py#l238 The return value should be backward compatible (None if no hostname is found at all)
reingart · Oct 14, 2015 · b050605 · b050605
1 parent f47c376
commit b050605
Showing 1 changed file with 9 additions and 5 deletions.
diff --git a/python2/httplib2/__init__.py b/python2/httplib2/__init__.py
@@ -978,12 +978,16 @@ def _GetValidHostsForCert(self, cert):
         Returns:
           list: A list of valid host globs.
         """
+        ret = None
+        # first check SAN extension for DNS names (new certs should have this):
         if 'subjectAltName' in cert:
-            return [x[1] for x in cert['subjectAltName']
-                    if x[0].lower() == 'dns']
-        else:
-            return [x[0][1] for x in cert['subject']
-                    if x[0][0].lower() == 'commonname']
+            ret = [x[1] for x in cert['subjectAltName']
+                   if x[0].lower() == 'dns']
+        # no SubjectAltName, or no DNS entry on it, use just subject: 
+        if not ret:
+            ret = [x[0][1] for x in cert['subject']
+                   if x[0][0].lower() == 'commonname']
+        return ret
 
     def _ValidateCertificateHostname(self, cert, hostname):
         """Validates that a given hostname is valid for an SSL certificate.