Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Disallow support for a*.example.net, *a.example.net, and a*b.example.net in certificate wildcard handling. #67222

Closed
dstufft opened this issue Dec 11, 2014 · 10 comments
Assignees
Labels

Comments

@dstufft
Copy link
Member

@dstufft dstufft commented Dec 11, 2014

BPO 23033
Nosy @rhettinger, @pitrou, @tiran, @benjaminp, @ned-deily, @alex, @dstufft, @Mariatta
PRs
  • #937
  • Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = 'https://github.com/tiran'
    closed_at = <Date 2017-11-26.22:33:13.727>
    created_at = <Date 2014-12-11.21:03:43.418>
    labels = ['type-security', 'expert-SSL', '3.7']
    title = 'Disallow support for a*.example.net, *a.example.net, and a*b.example.net in certificate wildcard handling.'
    updated_at = <Date 2017-11-26.22:33:13.726>
    user = 'https://github.com/dstufft'

    bugs.python.org fields:

    activity = <Date 2017-11-26.22:33:13.726>
    actor = 'Mariatta'
    assignee = 'christian.heimes'
    closed = True
    closed_date = <Date 2017-11-26.22:33:13.727>
    closer = 'Mariatta'
    components = ['SSL']
    creation = <Date 2014-12-11.21:03:43.418>
    creator = 'dstufft'
    dependencies = []
    files = []
    hgrepos = []
    issue_num = 23033
    keywords = []
    message_count = 10.0
    messages = ['232493', '232494', '232503', '275039', '290994', '291040', '295742', '295756', '307025', '307026']
    nosy_count = 8.0
    nosy_names = ['rhettinger', 'pitrou', 'christian.heimes', 'benjamin.peterson', 'ned.deily', 'alex', 'dstufft', 'Mariatta']
    pr_nums = ['937']
    priority = 'normal'
    resolution = 'fixed'
    stage = 'resolved'
    status = 'closed'
    superseder = None
    type = 'security'
    url = 'https://bugs.python.org/issue23033'
    versions = ['Python 3.7']

    @dstufft
    Copy link
    Member Author

    @dstufft dstufft commented Dec 11, 2014

    Various browsers[1][2] are dropping support for wild card certificates which are anything but a single "*" alone in the left most position. The other style wildcards were deprecated previously and they should not appear in any public certificate and in the words of the Chrome project are "dang weird for internal certificates".

    I believe we should follow suite and just only allow a single "*" alone in the left most segment for the SSL handling code.

    [1] https://codereview.chromium.org/762013002
    [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1107791

    @pitrou
    Copy link
    Member

    @pitrou pitrou commented Dec 11, 2014

    Sounds fine for me in 3.5.

    @alex
    Copy link
    Member

    @alex alex commented Dec 11, 2014

    As a part of this, we might want to consider changing the implementation to not compile the SANs into a regular expression. Constantly compiling new regexs can cause churn in the re cache, which can degrade performance -- also, it's probably much worse on PyPy :-)

    @tiran
    Copy link
    Member

    @tiran tiran commented Sep 8, 2016

    Sounds good to me!

    For 3.7 I'm planning to use OpenSSL's hostname verification system and deprecate match_hostname(). It does support partial matching by default.

    @tiran tiran self-assigned this Sep 15, 2016
    @rhettinger
    Copy link
    Contributor

    @rhettinger rhettinger commented Apr 1, 2017

    +1

    @tiran
    Copy link
    Member

    @tiran tiran commented Apr 2, 2017

    Ned, Benjamin,

    are you ok with a backport to 2.7 and 3.6? Substring (aka partial) matching of wildcards is a MAY feature according to RFC 6125 https://tools.ietf.org/html/rfc6125#section-6.4.3 . They are a violation of CA/B Form's baseline requirements, so no publicaly trusted cert may contain a CN or SAN entry with a partial wildcard. Several libraries and languages do not implement the feature either. Improper wildcard matching caused a bunch of security issues and CVEs in Python.

    @Mariatta
    Copy link
    Sponsor Member

    @Mariatta Mariatta commented Jun 12, 2017

    Can this go to 3.6.2?

    @tiran
    Copy link
    Member

    @tiran tiran commented Jun 12, 2017

    It's probably not a good idea to port it to 3.6. It's a backwards incompatible change.

    @Mariatta
    Copy link
    Sponsor Member

    @Mariatta Mariatta commented Nov 26, 2017

    New changeset ede2ac9 by Mariatta (Mandeep Singh) in branch 'master':
    bpo-23033: Improve SSL Certificate handling (GH-937)
    ede2ac9

    @Mariatta
    Copy link
    Sponsor Member

    @Mariatta Mariatta commented Nov 26, 2017

    I merged the PR, this is now in 3.7.
    Thanks all!

    @Mariatta Mariatta closed this Nov 26, 2017
    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Labels
    Projects
    None yet
    Development

    No branches or pull requests

    6 participants