You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The latest ssl.py file tries to validate hostnames vs certificates but includes a faulty regexp which causes any wildcard domains (e.g. *.s3.amazonaws.com) to fail validation.
Steps to Reproduce:
>>> import ssl
>>> ssl._dnsname_match("*.s3.amazonaws.com", "planet.sofiavalley.com.s3.amazonaws.com")
>>>
From Python's documentation:
[]
Used to indicate a set of characters. In a set:
...
Special characters lose their special meaning inside sets. For example, [(+*)] will match any of the literal characters '(', '+', '*', or ')'.
^^^^^^^^^ this is the cause of the error
I've found this after an upgrade to RHEL 7.2 which contains the faulty code broke s3cmd for me. The result - one of my sites was outdated for a couple of days.
Note: As far as I can tell this affects upstream Python 2.7.10 and 3.5.0, however in the packages Red Hat distributes the code is different between 2 and 3 while upstream is more consistent.
This is not a bug. It's actually the way how wildcards in X.509 certificates work. For hostnames a wildcard only matches one label. There can only be one wildcard and the wildcard must be in the left-most label. https://tools.ietf.org/html/rfc6125#section-6.4.3
This means that "*.s3.amazonaws.com" matches "com.s3.amazonaws.com" but doesn't match "planet.sofiavalley.com.s3.amazonaws.com".
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: