From 7b6b15754754b45552d0872d36f3f30f5fa1a783 Mon Sep 17 00:00:00 2001
From: Maximilian Hils <git@maximilianhils.com>
Date: Fri, 18 Sep 2015 15:35:02 +0200
Subject: properly handle SNI IPs

fixes mitmproxy/mitmproxy#772
We must use the ipaddress package here, because that's what cryptography
uses. If we opt for something else, we have nasty namespace conflicts.
---
 netlib/certutils.py | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

(limited to 'netlib/certutils.py')

diff --git a/netlib/certutils.py b/netlib/certutils.py
index cc143a50..c3b795ac 100644
--- a/netlib/certutils.py
+++ b/netlib/certutils.py
@@ -4,6 +4,7 @@ import ssl
 import time
 import datetime
 import itertools
+import ipaddress
 from pyasn1.type import univ, constraint, char, namedtype, tag
 from pyasn1.codec.der.decoder import decode
 from pyasn1.error import PyAsn1Error
@@ -85,8 +86,13 @@ def dummy_cert(privkey, cacert, commonname, sans):
     """
     ss = []
     for i in sans:
-        ss.append("DNS: %s" % i)
-    ss = ", ".join(ss)
+        try:
+            ipaddress.ip_address(i.decode("ascii"))
+        except ValueError:
+            ss.append(b"DNS: %s" % i)
+        else:
+            ss.append(b"IP: %s" % i)
+    ss = b", ".join(ss)
 
     cert = OpenSSL.crypto.X509()
     cert.gmtime_adj_notBefore(-3600 * 48)
@@ -335,6 +341,7 @@ class CertStore(object):
 class _GeneralName(univ.Choice):
     # We are only interested in dNSNames. We use a default handler to ignore
     # other types.
+    # TODO: We should also handle iPAddresses.
     componentType = namedtype.NamedTypes(
         namedtype.NamedType('dNSName', char.IA5String().subtype(
             implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2)
-- 
cgit v1.2.3