Giophone

Twilio and Heartbleed

Twilio and Heartbleed

Seeing these errors? It seems that when Twilio changed certificates after the Heartbleed incident, they also may have created issues with older httplib2 libraries that do incorrect cert validation.

CertificateHostnameMismatch: Server presented certificate that does not match host api.twilio.com: {notAfter: Apr 10 23:59:59 2015 GMT, subjectAltName: ((DNS, twilio.com), (DNS, *.twilio.com)), subject: (((countryName, uUS),), ((stateOrProvinceName, uCalifornia),), ((localityName, uSan Francisco),), ((organizationName, uTwilio, Inc.),), ((commonName, u*.twilio.com),))}

It turns out that the logic for the host check is pretty faulty. Since there are two alternate names defined (twilio.com and *.twilio.com), the for loop needs to iterate across the second one. However, because the regexp pattern fails on the 1st entry, it returns false and fails the validation.

(Pdb) host
twilio.com
(Pdb) hosts
[twilio.com, *.twilio.com]

for host in hosts:
 host_re = host.replace(., .).replace(*, [^
 if re.search(^%s$ % (host_re,), hostname, re.I):
 return True
 return False

Upgrading to httplib2 v0.8 seems to have done the trick. Why? Note where the return call is made now:

for host in hosts:
 host_re = host.replace(., .).replace(*, [^.]*)
 if re.search(^%s$ % (host_re,), hostname, re.I):
 return True
return False

visit link download