Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

match_hostname() error reporting bug #77000

Closed
tiran opened this issue Feb 11, 2018 · 8 comments
Closed

match_hostname() error reporting bug #77000

tiran opened this issue Feb 11, 2018 · 8 comments
Assignees
Labels
3.7 (EOL) end of life 3.8 (EOL) end of life topic-SSL type-bug An unexpected behavior, bug, or error

Comments

@tiran
Copy link
Member

tiran commented Feb 11, 2018

BPO 32819
Nosy @tiran, @alex, @dstufft
PRs
  • bpo-32819: Simplify and improve ssl.match_hostname #5620
  • [3.7] bpo-32819: Simplify and improve ssl.match_hostname (GH-5620) #5847
  • Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = 'https://github.com/tiran'
    closed_at = <Date 2018-02-25.20:12:09.558>
    created_at = <Date 2018-02-11.13:16:21.271>
    labels = ['expert-SSL', '3.8', 'type-bug', '3.7']
    title = 'match_hostname() error reporting bug'
    updated_at = <Date 2018-02-25.20:12:09.557>
    user = 'https://github.com/tiran'

    bugs.python.org fields:

    activity = <Date 2018-02-25.20:12:09.557>
    actor = 'christian.heimes'
    assignee = 'christian.heimes'
    closed = True
    closed_date = <Date 2018-02-25.20:12:09.558>
    closer = 'christian.heimes'
    components = ['SSL']
    creation = <Date 2018-02-11.13:16:21.271>
    creator = 'christian.heimes'
    dependencies = []
    files = []
    hgrepos = []
    issue_num = 32819
    keywords = ['patch']
    message_count = 8.0
    messages = ['311996', '312712', '312714', '312721', '312722', '312723', '312724', '312725']
    nosy_count = 4.0
    nosy_names = ['janssen', 'christian.heimes', 'alex', 'dstufft']
    pr_nums = ['5620', '5847']
    priority = 'normal'
    resolution = 'fixed'
    stage = 'resolved'
    status = 'closed'
    superseder = None
    type = 'behavior'
    url = 'https://bugs.python.org/issue32819'
    versions = ['Python 2.7', 'Python 3.6', 'Python 3.7', 'Python 3.8']

    @tiran
    Copy link
    Member Author

    tiran commented Feb 11, 2018

    Since bpo bpo-23033, ssl.match_hostname() no longer supports partial wildcard matching, e.g. "www*.example.org". In case of a partial match, _dnsname_match() fails with a confusing/wrong error message:

    >>> import ssl
    >>> ssl._dnsname_match('www*.example.com', 'www1.example.com')
    Traceback (most recent call last):
      File "<stdin>", line 1, in <module>
      File ".../cpython/Lib/ssl.py", line 198, in _dnsname_match
        "wildcard can only be present in the leftmost segment: " + repr(dn))
    ssl.SSLCertVerificationError: ("wildcard can only be present in the leftmost segment: 'www*.example.com'",)

    The wildcard *is* in the leftmost segment. But it's not a full match but a partial match.

    The error message applies to a SAN dNSName like "*.*.example.org" or "www.*.example.com", however the function does not raise an error for multiple or non left-most wildcards:

    # multiple wildcards return None
    >>> ssl._dnsname_match('*.*.example.com', 'www.sub.example.com')
    # single wildcard in another label returns False
    >>> ssl._dnsname_match('www.*.example.com', 'www.sub.example.com')
    False

    @tiran tiran self-assigned this Feb 11, 2018
    @tiran tiran added topic-SSL type-bug An unexpected behavior, bug, or error labels Feb 11, 2018
    @tiran
    Copy link
    Member Author

    tiran commented Feb 24, 2018

    New changeset aef1283 by Christian Heimes in branch 'master':
    bpo-32819: Simplify and improve ssl.match_hostname (bpo-5620)
    aef1283

    @tiran
    Copy link
    Member Author

    tiran commented Feb 24, 2018

    New changeset 46632f4 by Christian Heimes (Miss Islington (bot)) in branch '3.7':
    [3.7] bpo-32819: Simplify and improve ssl.match_hostname (GH-5620) (bpo-5847)
    46632f4

    @tiran
    Copy link
    Member Author

    tiran commented Feb 24, 2018

    master and 3.7 are fixed.

    Should I backport the issue to 2.7 and 3.6, too? It changes behavior slightly because it drops support for partial wildcards. RFC 6125 consider it an optional feature. AFAIK browsers don't match them either.

    @tiran tiran added 3.7 (EOL) end of life 3.8 (EOL) end of life labels Feb 24, 2018
    @alex
    Copy link
    Member

    alex commented Feb 24, 2018

    Can confirm, no browsers do partial (or multiple) wildcards and the CABF rules don't allow public CAs to issue them.

    @alex
    Copy link
    Member

    alex commented Feb 24, 2018

    (Didn't mean to update status)

    @tiran
    Copy link
    Member Author

    tiran commented Feb 24, 2018

    Don't worry, it happens automatically when somebody replies to a pending ticket w/o closing it explicitly.

    I need to backport the patch manually.

    @tiran
    Copy link
    Member Author

    tiran commented Feb 24, 2018

    @tiran tiran closed this as completed Feb 25, 2018
    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Labels
    3.7 (EOL) end of life 3.8 (EOL) end of life topic-SSL type-bug An unexpected behavior, bug, or error
    Projects
    None yet
    Development

    No branches or pull requests

    2 participants