Raise a CertificateError if the certificate has no subjectAltName.

[adiroiban]

I have created this ticket to start a conversion.

Feel free to close it if you think this is not an issue.

This ticket is triggerd by the converstation from twisted/twisted#12074

It looks like if the server certificate has no subjectAltName, the verification will fail but the error is

<class 'service_identity.exceptions.VerificationError'>: VerificationError(errors=[DNSMismatch(mismatched_id=DNS_ID(hostname=b'default'))])

It's not very obvious that the issue is misisng subjectAltName

This is related to the change from here

https://github.com/pyca/service-identity/pull/52/files#diff-bf6d1c4ec44ff09a085657cc5b75da153a8cd025b8c72d4bd77d79e44cead072L144

In PR #52, if the certificate has no subjectAltName it is handled as a valid certificate without any match.

Maybe, a CertificateError('Certificate without subjectAltName.') exception should be raised.

Thanks

[hynek]

Wouldn’t that be a breaking change?

[adiroiban]

I think it would be a breaking change that people want :)

Rather than a "silent" error about no match, I think that you want an error about the certificat not having a SAN .

As an application developer, I want to present users with meaningful / actionable error messages.
With the current code, I need to always run a separate check to see if the certificat has a SAN and raise a different error.

[hynek]

How about a compromise: NoSubjectAltNameFoundError(VerificationError)? Should be 100% backwards-compatible?

[hynek]

no, wait I spoke to soon. that doesn't work with our multiple errors.

[hynek]

Like and subscribe #67