➜
This issue trackerhas been migrated toGitHub, and is currentlyread-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.
Created on2018-02-11 13:16 bychristian.heimes, last changed2022-04-11 14:58 byadmin. This issue is nowclosed.
| Pull Requests | |||
|---|---|---|---|
| URL | Status | Linked | Edit |
| PR 5620 | merged | christian.heimes,2018-02-11 14:58 | |
| PR 5847 | merged | miss-islington,2018-02-24 13:37 | |
| Messages (8) | |||
|---|---|---|---|
| msg311996 -(view) | Author: Christian Heimes (christian.heimes)* | Date: 2018-02-11 13:16 | |
Since bpo#23033, ssl.match_hostname() no longer supports partial wildcard matching, e.g. "www*.example.org". In case of a partial match, _dnsname_match() fails with a confusing/wrong error message:>>> import ssl>>> ssl._dnsname_match('www*.example.com', 'www1.example.com')Traceback (most recent call last): File "<stdin>", line 1, in <module> File ".../cpython/Lib/ssl.py", line 198, in _dnsname_match "wildcard can only be present in the leftmost segment: " + repr(dn))ssl.SSLCertVerificationError: ("wildcard can only be present in the leftmost segment: 'www*.example.com'",)The wildcard *is* in the leftmost segment. But it's not a full match but a partial match.The error message applies to a SAN dNSName like "*.*.example.org" or "www.*.example.com", however the function does not raise an error for multiple or non left-most wildcards:# multiple wildcards return None>>> ssl._dnsname_match('*.*.example.com', 'www.sub.example.com')# single wildcard in another label returns False>>> ssl._dnsname_match('www.*.example.com', 'www.sub.example.com')False | |||
| msg312712 -(view) | Author: Christian Heimes (christian.heimes)* | Date: 2018-02-24 13:36 | |
New changesetaef1283ba428e33397d87cee3c54a5110861552d by Christian Heimes in branch 'master':bpo-32819: Simplify and improve ssl.match_hostname (#5620)https://github.com/python/cpython/commit/aef1283ba428e33397d87cee3c54a5110861552d | |||
| msg312714 -(view) | Author: Christian Heimes (christian.heimes)* | Date: 2018-02-24 14:06 | |
New changeset46632f4d3c1f3aef875d2ada750a298ab0510992 by Christian Heimes (Miss Islington (bot)) in branch '3.7':[3.7]bpo-32819: Simplify and improve ssl.match_hostname (GH-5620) (#5847)https://github.com/python/cpython/commit/46632f4d3c1f3aef875d2ada750a298ab0510992 | |||
| msg312721 -(view) | Author: Christian Heimes (christian.heimes)* | Date: 2018-02-24 15:09 | |
master and 3.7 are fixed.Should I backport the issue to 2.7 and 3.6, too? It changes behavior slightly because it drops support for partial wildcards. RFC 6125 consider it an optional feature. AFAIK browsers don't match them either. | |||
| msg312722 -(view) | Author: Alex Gaynor (alex)* | Date: 2018-02-24 15:10 | |
Can confirm, no browsers do partial (or multiple) wildcards and the CABF rules don't allow public CAs to issue them. | |||
| msg312723 -(view) | Author: Alex Gaynor (alex)* | Date: 2018-02-24 15:10 | |
(Didn't mean to update status) | |||
| msg312724 -(view) | Author: Christian Heimes (christian.heimes)* | Date: 2018-02-24 15:13 | |
Don't worry, it happens automatically when somebody replies to a pending ticket w/o closing it explicitly.I need to backport the patch manually. | |||
| msg312725 -(view) | Author: Christian Heimes (christian.heimes)* | Date: 2018-02-24 15:16 | |
I also fixed an issue for Brandon's backport,https://bitbucket.org/brandon/backports.ssl_match_hostname/issues/12/update-to-implementation-from-37 | |||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:58:57 | admin | set | github: 77000 |
| 2018-02-25 20:12:09 | christian.heimes | set | status: open -> closed resolution: fixed stage: needs patch -> resolved |
| 2018-02-24 15:16:36 | christian.heimes | set | messages: +msg312725 |
| 2018-02-24 15:13:55 | christian.heimes | set | status: pending -> open versions: + Python 2.7, Python 3.6 messages: +msg312724 resolution: fixed -> (no value) stage: resolved -> needs patch |
| 2018-02-24 15:10:46 | alex | set | status: open -> pending messages: +msg312723 |
| 2018-02-24 15:10:18 | alex | set | status: pending -> open messages: +msg312722 |
| 2018-02-24 15:09:14 | christian.heimes | set | status: open -> pending versions: + Python 3.7, Python 3.8 nosy: +janssen,alex,dstufft messages: +msg312721 resolution: fixed stage: patch review -> resolved |
| 2018-02-24 14:06:48 | christian.heimes | set | messages: +msg312714 |
| 2018-02-24 13:37:08 | miss-islington | set | pull_requests: +pull_request5623 |
| 2018-02-24 13:36:00 | christian.heimes | set | messages: +msg312712 |
| 2018-02-11 14:58:36 | christian.heimes | set | keywords: +patch stage: patch review pull_requests: +pull_request5429 |
| 2018-02-11 13:16:21 | christian.heimes | create | |