-
-
Notifications
You must be signed in to change notification settings - Fork 30.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
match_hostname() error reporting bug #77000
Comments
Since bpo bpo-23033, ssl.match_hostname() no longer supports partial wildcard matching, e.g. "www*.example.org". In case of a partial match, _dnsname_match() fails with a confusing/wrong error message: >>> import ssl
>>> ssl._dnsname_match('www*.example.com', 'www1.example.com')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File ".../cpython/Lib/ssl.py", line 198, in _dnsname_match
"wildcard can only be present in the leftmost segment: " + repr(dn))
ssl.SSLCertVerificationError: ("wildcard can only be present in the leftmost segment: 'www*.example.com'",) The wildcard *is* in the leftmost segment. But it's not a full match but a partial match. The error message applies to a SAN dNSName like "*.*.example.org" or "www.*.example.com", however the function does not raise an error for multiple or non left-most wildcards: # multiple wildcards return None
>>> ssl._dnsname_match('*.*.example.com', 'www.sub.example.com')
# single wildcard in another label returns False
>>> ssl._dnsname_match('www.*.example.com', 'www.sub.example.com')
False |
master and 3.7 are fixed. Should I backport the issue to 2.7 and 3.6, too? It changes behavior slightly because it drops support for partial wildcards. RFC 6125 consider it an optional feature. AFAIK browsers don't match them either. |
Can confirm, no browsers do partial (or multiple) wildcards and the CABF rules don't allow public CAs to issue them. |
(Didn't mean to update status) |
Don't worry, it happens automatically when somebody replies to a pending ticket w/o closing it explicitly. I need to backport the patch manually. |
I also fixed an issue for Brandon's backport, https://bitbucket.org/brandon/backports.ssl_match_hostname/issues/12/update-to-implementation-from-37 |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: