Download Install Tutorial Docs FAQ Tools WikiLicense Team IRC Planet Involvement Shop Book

Ticket #605 (defect)

Opened 2 years ago

Last modified 2 years ago

SSL parsing is broken

Status: closed (fixed)

Reported by: Sheco Assigned to: fumanchu
Priority: normal Milestone: 3.0
Component: CherryPy code Keywords: ssl
Cc:

5 days ago a a new method to parse ssl certificates was introduced to the trunk of cherrypy 3.0.

It is broken, the X509Name is weird, it doesn't help when inspecting it interactively, but I searched the docs and fixed the current implementation in cherrypy, I did it so the short names are saved int the environment, since this was the way it was previously saved, I didn't want to change it.

This is the diff: 

791,794d790
<             # X509Name objects don't seem to have a way to get the
<             # complete DN string. Use str() and slice it instead.
<             dn = str(dn)[18:-2]
<
797,802c793,804
<
<             for atom in dn.split("/"):
<                 if atom:
<                     key, value = atom.split("=", 1)
<                     wsgikey = 'SSL_SERVER_%s_DN_%s' % (prefix, key)
<                     self.ssl_environ[wsgikey] = value
---
>
>             for short, long in {
>               'C': 'countryName',
>               'ST': 'stateOrProvinceName',
>               'L': 'localityName',
>               'O': 'organizationName',
>               'OU': 'organizationalUnitName',
>               'CN': 'commonName',
>               'emailAddress': 'emailAddress' }.iteritems():
>               wsgikey = 'SSL_SERVER_%s_DN_%s' %(prefix, short)
>               print short, long
>               self.ssl_environ[wsgikey] = getattr(dn, long)

Attachments

url_in_dn.patch (1.1 kB) - added by fumanchu on 11/27/06 12:30:30.
Patch to allow for slashes in cert DN

Change History

11/23/06 16:18:17: Modified by Sheco

I forgot to mention, the method in the trunk is broken because it converts the object to string and splits it. My OU has a url, so the split("/") is not a good idea.

11/27/06 12:30:30: Modified by fumanchu

  • attachment url_in_dn.patch added.

Patch to allow for slashes in cert DN

11/27/06 12:33:26: Modified by fumanchu

  • status changed from new to assigned.

The problem is understood, but the proposed fix won't work; the SSL environ should contain all subkeys in the DN, not just a few canonical ones. The proposed fix also damages the values of SSL_SERVER_I_DN and SSL_SERVER_S_DN.

The url_in_dn patch should correct these issues.

11/27/06 13:14:32: Modified by fumanchu

  • status changed from assigned to closed.
  • resolution set to fixed.

Fixed in [1448].

Hosted by WebFaction

Log in as guest/cpguest to create tickets