diff -ur M2Crypto/M2Crypto/SSL/Checker.py M2Crypto-0.21.1/M2Crypto/SSL/Checker.py
--- M2Crypto/M2Crypto/SSL/Checker.py 2011-01-15 20:10:05.000000000 +0100
+++ M2Crypto-0.21.1/M2Crypto/SSL/Checker.py 2015-07-07 16:41:53.887094222 +0200
@@ -11,6 +11,7 @@
'WrongHost', 'Checker']
from M2Crypto import util, EVP, m2
+import socket
import re
class SSLVerificationError(Exception):
@@ -161,6 +162,10 @@
self.useSubjectAltNameOnly = True
if self._match(host, certHost[4:]):
return True
+ elif certHost[:11] == 'ip address:':
+ self.useSubjectAltNameOnly = True
+ if self._matchIPAddress(host, certHost[11:]):
+ return True
return False
@@ -218,6 +223,34 @@
return False
+ def _matchIPAddress(self, host, certHost):
+ """
+ >>> check = Checker()
+ >>> check._matchIPAddress(host='my.example.com', certHost='my.example.com')
+ False
+ >>> check._matchIPAddress(host='1.2.3.4', certHost='1.2.3.4')
+ True
+ >>> check._matchIPAddress(host='1.2.3.4', certHost='*.2.3.4')
+ False
+ >>> check._matchIPAddress(host='1.2.3.4', certHost='1.2.3.40')
+ False
+ >>> check._matchIPAddress(host='::1', certHost='::1')
+ True
+ >>> check._matchIPAddress(host='::1', certHost='0:0:0:0:0:0:0:1')
+ True
+ >>> check._matchIPAddress(host='::1', certHost='::2')
+ False
+ """
+ try:
+ canonical = socket.getaddrinfo(host, 0, 0, socket.SOCK_STREAM, 0,
+ socket.AI_NUMERICHOST)
+ certCanonical = socket.getaddrinfo(certHost, 0, 0,
+ socket.SOCK_STREAM, 0,
+ socket.AI_NUMERICHOST)
+ except:
+ return False
+ return canonical == certCanonical
+
if __name__ == '__main__':
import doctest