bridgedb verifyHostname doesn't check subjectAltName extension
Currently, bridgedb/crypto.py function verifyHostname uses the certificate's commonName exclusively to perform a hostname match.
RFC 5280 demands that the presence of the subjectAltName (SAN) extension is checked, and if present, must be used to perform the hostname check.
verifyHostname should be changed to use subjectAltName. Only fall back to check common name if SAN is missing.
If an existing, more complete implementation of hostname verification can be found, it might be preferable to use it.
Trac:
Username: kaie