You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Since bpo bpo-23033, ssl.match_hostname() no longer supports partial wildcard matching, e.g. "www*.example.org". In case of a partial match, _dnsname_match() fails with a confusing/wrong error message:
>>> import ssl
>>> ssl._dnsname_match('www*.example.com', 'www1.example.com')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File ".../cpython/Lib/ssl.py", line 198, in _dnsname_match
"wildcard can only be present in the leftmost segment: " + repr(dn))
ssl.SSLCertVerificationError: ("wildcard can only be present in the leftmost segment: 'www*.example.com'",)
The wildcard *is* in the leftmost segment. But it's not a full match but a partial match.
The error message applies to a SAN dNSName like "*.*.example.org" or "www.*.example.com", however the function does not raise an error for multiple or non left-most wildcards:
# multiple wildcards return None
>>> ssl._dnsname_match('*.*.example.com', 'www.sub.example.com')
# single wildcard in another label returns False
>>> ssl._dnsname_match('www.*.example.com', 'www.sub.example.com')
Should I backport the issue to 2.7 and 3.6, too? It changes behavior slightly because it drops support for partial wildcards. RFC 6125 consider it an optional feature. AFAIK browsers don't match them either.