Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ssl.match_hostname() should check for SRV-ID and URI-ID #72383

Closed
tiran opened this issue Sep 18, 2016 · 2 comments
Closed

ssl.match_hostname() should check for SRV-ID and URI-ID #72383

tiran opened this issue Sep 18, 2016 · 2 comments
Assignees
@tiran
Labels
3.7 (EOL) end of life topic-SSL type-bug An unexpected behavior, bug, or error

Comments

@tiran
Copy link
Member

tiran commented Sep 18, 2016

BPO 28196
Nosy @tiran
Dependencies
  • bpo-28191: Support RFC4985 SRVName in SAN name
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = 'https://github.com/tiran'
closed_at = <Date 2017-09-06.19:27:52.072>
created_at = <Date 2016-09-18.11:13:00.831>
labels = ['expert-SSL', 'type-bug', '3.7']
title = 'ssl.match_hostname() should check for SRV-ID and URI-ID'
updated_at = <Date 2017-09-06.19:27:52.071>
user = 'https://github.com/tiran'

    bugs.python.org fields:

    activity = <Date 2017-09-06.19:27:52.071>
actor = 'christian.heimes'
assignee = 'christian.heimes'
closed = True
closed_date = <Date 2017-09-06.19:27:52.072>
closer = 'christian.heimes'
components = ['SSL']
creation = <Date 2016-09-18.11:13:00.831>
creator = 'christian.heimes'
dependencies = ['28191']
files = []
hgrepos = []
issue_num = 28196
keywords = []
message_count = 2.0
messages = ['276882', '301501']
nosy_count = 1.0
nosy_names = ['christian.heimes']
pr_nums = []
priority = 'normal'
resolution = 'wont fix'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'behavior'
url = 'https://bugs.python.org/issue28196'
versions = ['Python 2.7', 'Python 3.5', 'Python 3.6', 'Python 3.7']
    @tiran
    Copy link
    Member Author

    tiran commented Sep 18, 2016

    The ssl.match_hostname() function does not conform to RFC 6125 because it can fall back to Subject CN when a cert has no dNSName SAN (subject alternative name) but a SRVName otherName SAN or URI SAN.

    ---
    https://tools.ietf.org/search/rfc6125#section-6.4.4

    6.4.4. Checking of Common Names

    As noted, a client MUST NOT seek a match for a reference identifier
    of CN-ID if the presented identifiers include a DNS-ID, SRV-ID,
    URI-ID, or any application-specific identifier types supported by the
    client.
    ---

    For now it's not a security problem because no public CA in the CA/Browser Forum is allowed to issue certs with SRV-ID or URI-ID. I checked a couple of libraries and browers. OpenSSL, NSS/Firefox, GnuTLS, embedtls (Polar) and libcurl don't check for the present of SRV-ID or URI-ID either. Only Hynek's service_identity package follows the RFC to the letter. bpo-28191 adds the ability to fetch SRV-ID entries.

    @tiran tiran added the 3.7 (EOL) end of life label Sep 18, 2016
    @tiran tiran self-assigned this Sep 18, 2016
    @tiran tiran added topic-SSL type-bug An unexpected behavior, bug, or error labels Sep 18, 2016
    @tiran
    Copy link
    Member Author

    tiran commented Sep 6, 2017

    Let OpenSSL handle this in the future.

    @tiran tiran closed this as completed Sep 6, 2017
    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees

    @tiran tiran

    Labels
    3.7 (EOL) end of life topic-SSL type-bug An unexpected behavior, bug, or error
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    1 participant
    @tiran