Some certificates have subjectAltName, but no 'dns' attribute associated with it. Thus it failed to get the host and produces error: "Server presented certificate that does not match host <HostName>

What steps will reproduce the problem? 1. Find some certificate with subjectAltName, but dns is missing 2. Try to connect with this certificate 3.

What is the expected output? Connection succeed without error.

What do you see instead? Failed to find host information from certification, thus following error is shown: error: Server presented certificate that does not match host

What version of the product are you using? On what operating system? python-httplib2-0.7.4

Please provide any additional information below. Proposed patch attached.

The patch fixes the problem for me.

One objection about the patch

In case that subjectAltName has a 'dns' element with only one name the output is returned as a string and then the validation fails when comparing with the hostname.

One objection about the patch

In case that subjectAltName has a 'dns' element with only one name the output is returned as a string and then the validation fails when comparing with the hostname.

The function's comment says the function returns a list, so the single entry should be returned in a list.

However, there's another problem: if the subjectAltName entry has multiple dns entries, only the first hostname is returned.

I have a script that uses the Instapaper (http://www.instapaper.com) API. Here's the error when connecting:

httplib2.CertificateHostnameMismatch: Server presented certificate that does not match host www.instapaper.com: {'notAfter': 'Apr 13 00:29:37 2017 GMT', 'subjectAltName': (('DNS', 'www.instapaper.com'), ('DNS', 'instapaper.com')), 'subject': ((('serialNumber', u'kFgvILuOXBY2A3gz3DTbhKsV8Tm6x8T7'),), (('countryName', u'US'),), (('organizationName', u'www.instapaper.com'),), (('organizationalUnitName', u'GT72497635'),), (('organizationalUnitName', u'See www.rapidssl.com/resources/cps (c)11'),), (('organizationalUnitName', u'Domain Control Validated - RapidSSL(R)'),), (('commonName', u'www.instapaper.com'),))}

The attached patch fixes this for me.

Your patch works for me

The function's comment says the function returns a list, so the single entry should be returned in a list.

As an extra comment

{'notAfter': 'Jun 7 06:45:20 2013 GMT', 'subjectAltName': (('DNS', 'keystonessl.cern.ch'),), 'subject': ((('domainComponent', u'ch'),), (('domainComponent', u'cern'),), (('organizationalUnitName', u'computers'),), (('commonName', u'keystonessl.cern.ch'),))}

if 'subjectAltName' in cert: for x in cert['subjectAltName']: if x[0].lower() == 'dns': return x[1] <----- returns 'keystonessl.cern.ch' instead of ('keystonessl.cern.ch')

I can also confirm that richardfern's patch work for the reproducer provide by the bug reporter.

The patch that ricardfearn supplied still fail if it has subjectAltName but has other field instead of 'DNS', such as email, URI, and IP, which are all valid for RFC 2459.

Thus I supply a new patch based on richardfearn's.