Disallow support for a*.example.net, *a.example.net, and a*b.example.net in certificate wildcard handling.

[dstufft]

BPO	23033
Nosy	@rhettinger, @pitrou, @tiran, @benjaminp, @ned-deily, @alex, @dstufft, @Mariatta
PRs	bpo-23033: consider wildcard in left most segment only for domain names #937

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = 'https://github.com/tiran'
closed_at = <Date 2017-11-26.22:33:13.727>
created_at = <Date 2014-12-11.21:03:43.418>
labels = ['type-security', 'expert-SSL', '3.7']
title = 'Disallow support for a*.example.net, *a.example.net, and a*b.example.net in certificate wildcard handling.'
updated_at = <Date 2017-11-26.22:33:13.726>
user = 'https://github.com/dstufft'

bugs.python.org fields:

activity = <Date 2017-11-26.22:33:13.726>
actor = 'Mariatta'
assignee = 'christian.heimes'
closed = True
closed_date = <Date 2017-11-26.22:33:13.727>
closer = 'Mariatta'
components = ['SSL']
creation = <Date 2014-12-11.21:03:43.418>
creator = 'dstufft'
dependencies = []
files = []
hgrepos = []
issue_num = 23033
keywords = []
message_count = 10.0
messages = ['232493', '232494', '232503', '275039', '290994', '291040', '295742', '295756', '307025', '307026']
nosy_count = 8.0
nosy_names = ['rhettinger', 'pitrou', 'christian.heimes', 'benjamin.peterson', 'ned.deily', 'alex', 'dstufft', 'Mariatta']
pr_nums = ['937']
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue23033'
versions = ['Python 3.7']

[dstufft]

Various browsers[1][2] are dropping support for wild card certificates which are anything but a single "*" alone in the left most position. The other style wildcards were deprecated previously and they should not appear in any public certificate and in the words of the Chrome project are "dang weird for internal certificates".

I believe we should follow suite and just only allow a single "*" alone in the left most segment for the SSL handling code.

[1] https://codereview.chromium.org/762013002
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1107791

[pitrou]

Sounds fine for me in 3.5.

[alex]

As a part of this, we might want to consider changing the implementation to not compile the SANs into a regular expression. Constantly compiling new regexs can cause churn in the re cache, which can degrade performance -- also, it's probably much worse on PyPy :-)

[tiran]

Sounds good to me!

For 3.7 I'm planning to use OpenSSL's hostname verification system and deprecate match_hostname(). It does support partial matching by default.

[rhettinger]

+1

[tiran]

Ned, Benjamin,

are you ok with a backport to 2.7 and 3.6? Substring (aka partial) matching of wildcards is a MAY feature according to RFC 6125 https://tools.ietf.org/html/rfc6125#section-6.4.3 . They are a violation of CA/B Form's baseline requirements, so no publicaly trusted cert may contain a CN or SAN entry with a partial wildcard. Several libraries and languages do not implement the feature either. Improper wildcard matching caused a bunch of security issues and CVEs in Python.

[Mariatta]

Can this go to 3.6.2?

[tiran]

It's probably not a good idea to port it to 3.6. It's a backwards incompatible change.

[Mariatta]

New changeset ede2ac9 by Mariatta (Mandeep Singh) in branch 'master':
bpo-23033: Improve SSL Certificate handling (GH-937)
ede2ac9

[Mariatta]

I merged the PR, this is now in 3.7.
Thanks all!