New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature Request] Support punycode if idn
command is available
#1321
Comments
idn
or similar library is availableidn
or similar library is available
idn
or similar library is availableidn
command is available
Fixed with #1322 merge |
There's a problem: Debian Buster:
Debian stretch
Opensuse 15.X
On Debian Buster You probably know better the status for Ubuntu... |
Let me dig - gotta put out fires at work here first
…Sent from my iPhone
On Sep 18, 2019, at 12:47, Dirk Wetter ***@***.***> wrote:
There's a problem:
Debian Buster:
prompt% dig +timeout=2 +tries=2 +short -t a xn--v4h.com
dig: 'xn--v4h.com.' is not a legal IDNA2008 name (string contains a disallowed character), use +noidnout
prompt% dig +noidnout +timeout=2 +tries=2 +short -t a xn--v4h.com
54.36.56.87
Debian stretch
prompt% dig +timeout=2 +tries=2 +short -t a xn--v4h.com
54.36.56.87 from server 192.168.122.1 in 0 ms.
prompt% dig +noidnout +timeout=2 +tries=2 +short -t a xn--v4h.com
Invalid option: +noidnout
Opensuse 15.X
prompt% dig +noidnout +timeout=2 +tries=2 +short -t a xn--v4h.com
;; IDN support not enabled [on stderr]
54.36.56.87
prompt% dig +timeout=2 +tries=2 +short -t a xn--v4h.com 2>/dev/null
On Debian Buster host also hiccups. Drill seems to be straight forward so far.
You probably know better the status for Ubuntu...
—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub, or mute the thread.
|
So, there seems to be some discrepancy because of Using a Debian Buster environment (Thank you for LXD containers!) I have the following:
Digging deeper, BOTH of the test cases #1319 and #1320 don't meet the restrictions/criterion:
Now, this in mind, we can do a disallowed character test:
... which adheres to the IDNA2008 standard. This will break emoji domains like we've been testing. BUT, if we use a Russian example, of So we need to be explicit with our definition of 'valid domain'. While technically Emoji Domains can be supported, they aren't part of the IDNA2008 standard and therefore standard DNS and such dictate them to be 'bad'. How do you want to proceed with this, Dirk? Remove IDN support, or force IDNA2008 standard which |
I confirmed this in the Python
So for IDN support/conversion we are going to have to decide whether we want to support emojis or be strict to the IDNA2008 standard (which doesn't include emojis in them) |
thanks, look into that after sleeping ;-) |
Only concerns here: Alpine doesn't have an I... might be able to write something that can do this validation, using a Python based program as an addon here, but that'd be a headache to make work properly if people don't install the deps. (I don't know Perl well enough or I'd propose writing this there) |
Further Concerns and Digging: If we want to be using If we want to support Emoji Domains, then we'll have to bypass IDNA2008 checks and use alternative DNS lookup mechanisms than |
It seems that major browsers (I tested Chrome and Firefox) work with emoji domains, probably by trying IDNA2008 and if that fails, trying IDNA2003. So for instance, in both browsers, |
According to ICANN, the use of emoji in domain names is strongly discouraged, but according to wikipedia, there are over 20,000 emoji domains in |
I think the core issue here is not whether IDNA2008 or IDNA2003 is in use here, but what those specific tools See #1321 (comment) for that initial report. I've done some digging, but am still trying to find a suitable solution that'd work for the DNS lookups that would ignore IDNA2008 in a 'works everywhere' format. |
Never said it wasn't, but I think you've missed the most important part of my first message you were looking at:
Right now |
You're correct. This is testssl.sh after all. I don't think it's reasonable to pull in a bunch of external dependencies. |
So, I got bored and came up with a Perl-driven DNS lookup system that returns A and AAAA records, but it requires The script I wrote can be found here: https://gist.github.com/teward/9b3a5f2d57b11be75715b93e7c15c4e6 This said, if we are not opposed to requiring Perl and Perl's Net::DNS to be available, we could theoretically replace all It currently outputs a line-break-delimited list of A and AAAA records, but you have to be careful to catch stderr to I would suggest though that barring any other solution that is cross-distro compliant for our needs, that this solution of relying on the Perl resolver here be a Last Resort Option, because it pulls more external dependencies in. |
@teward , sorry, I am opposed to using perl directly. testssl.sh uses deliberately a small set of external binaries as it is supposed to work under every OS (BSDs, OSX, Windows' Unix environments) ~without installing anything. That being said, we need to come up with a solution which works as good as it can under the given circumstances. That'll be a bit of headache. But we need to keep in mind, that IDN support is a (great) option, not mandatory. So if at a certain point an URI is supplied which cannot be tested we signal that to the user and maybe give a recommendation (like it's the case with the missing idn binary), if possible. If that's not possible, it's ok too. So what I suggest is a) find out which DNS client binary has the best IDN support and put it first in a+b requires some testing on several OS. As usual there will be no check for an OS version because FreBSD/Mac OSX can install GNU tools as well as others can install "unexpected" binaries. Required is a test with the binary itself (search for |
PS: I just added idn support to the docker container, which seem to work with all the examples mentioned here (some refuse to connect. I was just adding libidn to the package list. The container is using drill. |
Remark: No shit ;-) |
This PR adds a few quotes to some arguments which when previous code was executed properly weren't needed. Also it improves the IDN code from @teward, so that when idn2 is available, a conversion will be tried, and when idn is available and/or idn2 failed, a conversion will be tried. Finally it'll be tried to continue without conversion, hoping that the DNS client binaries can cope with the IDN URI. This is not good enough yet and needs to be complemented, see discussion @ #1321.
Please see commit and its comment in separate branch. The point with DNS client binary is still open (and code is not as I want it to be). Now though I need to focus on topics for which I can buy food and the like... |
See 61238f1 and ae9cb99. Also https://☮.com will be correctly parsed as non-IDN URIs. As you might have noticed I don't care much if a URI meets standards. :-) The workflow is now that a conversion with What is missing now are tests with more IDN domains under several OS with several DNS clients. That would help. If you want to help the following circumstances of the failure would be helpful:
|
This is a feature request and not a bug report.
Currently,
testssl
does NOT support punycode, or the conversion of UTF8 strings to punycode.However, there is NO guarantee that any given system will have IDN support - i.e. no installed
idn
orlibidn
to call upon.In Ubuntu and Debian variants, we can install
idn
from the repositories, however this isn't a guarantee that this will be available under the same name.Depending on how we wish to include IDN support, we can either go the route of:
(1) Checking if the
idn
command exists, and if it does, run the given domain throughidn
before processing it throughout the program - however ifidn
is not available or installed this will fail hard and will continue to have issues a la #1319 and #1320(2) External dependencies beyond just the
idn
program, a la a Python call to do the encode/decode. Which has the requisite of needing Python.(3) Try and write an IDN encoder/decoder ourselves in Bash (which sounds like the hellish approach).
Using approach 1 here may be the best approach, however do we want to have that dependency added?
If we do want to go the route of incorporating the
idn
command support I would like to attempt to provide some mechanism for this in the code (so please let me have some time to dig into this for a solution, my Bash is slightly rusty and I need to reaffirm myself with bits of the code...)The text was updated successfully, but these errors were encountered: