Closed
Description
I'm trying to fetch a site with IDN domain name on HTTPS, but it end up with CertificateError, because match_hostname is trying to find decoded hostname instead of punycode hostname in the CN's of the certificate, example:
import aiohttp, asyncio
loop = asyncio.get_event_loop()
loop.run_until_complete(aiohttp.ClientSession().get('https://www.xn--hkyrky-ptac70bc.cz'))
which end up with:
Traceback (most recent call last):
File "/usr/lib64/python3.5/asyncio/events.py", line 125, in _run
self._callback(*self._args)
File "/usr/lib64/python3.5/asyncio/selector_events.py", line 676, in _read_ready
self._protocol.data_received(data)
File "/usr/lib64/python3.5/asyncio/sslproto.py", line 492, in data_received
ssldata, appdata = self._sslpipe.feed_ssldata(data)
File "/usr/lib64/python3.5/asyncio/sslproto.py", line 200, in feed_ssldata
self._sslobj.do_handshake()
File "/usr/lib64/python3.5/ssl.py", line 638, in do_handshake
match_hostname(self.getpeercert(), self.server_hostname)
File "/usr/lib64/python3.5/ssl.py", line 297, in match_hostname
% (hostname, ', '.join(map(repr, dnsnames))))
ssl.CertificateError: hostname 'www.háčkyčárky.cz' doesn't match either of 'dns-ok.cz', 'dnssec.cz', 'ietf80.cz', 'ietf93.cz', 'kasuar.cz', 'napul.cz', 'old.dobradomena.cz', 'www.dns-ok.cz', 'www.dnssec.cz', 'www.ietf80.cz', 'www.ietf93.cz', 'www.kasuar.cz', 'www.napul.cz', 'www.xn--hkyrky-ptac70bc.cz', 'xn--hkyrky-ptac70bc.cz'
I guess this is similar issue as #1444.
Can reproduce it on both master and 1.2.0 with Python 3.5.2.