Issues

Issue #59 wontfix

host name mismatch in production mirrors

Jason R. Coombs
created an issue

In Setuptools #75, Pedro Algarvio reports a hostname mismatch when attempting to download setuptools using wget (via ez_install), but the SSL certificate doesn't match the hostname.

Is '*.a.ssl.fastly.net' something that's served by the PyPI hosts, or is that something that's being intercepted and served by some intermediary in his environment? If it's the former, then the certificate isn't suitable for hosting pypi.python.org content (securely).

Comments (2)

  1. Donald Stufft

    The certificate used by PyPI has a CN of .a.ssl.fastly.net and has a SAN of pypi.python.org (among others). In this case, looking at the original ticket, I'd assume that the wget on the system didn't support SAN certificates fell back to using the CN which the CN of .a.ssl.fastly.net doesn't match the name pypi.python.org and failed.

    There's nothing to be done except for people to not use ancient versions of things that don't support standard X.509 extensions. The only other options are a very expensive CDN option or removing the CDN all together.

  2. Log in to comment