-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Match_hostname: hostname 'github.com.' doesn't match 'github.com' or 'www.github.com' #1254
Comments
This is an interesting issue! Looking at how cURL does it, it seems like it's internally setting the Host header to remove the trailing dot, as well as removing the trailing dot when doing hostname validation on the cert. I did some quick checking on It's unclear to me whether we should just need to make the modification needed for SSL certification somewhere around here (that'll pass a hostname with trailing dot removed to whatever SSL backend is in use for the purposes of certificate verification) or if we should perform the dot-ectomy change in the Host header we send as well (which would need more careful consideration due to the DNS resolution stuff mentioned above). As for algorithm, I believe simply doing @Lukasa, thoughts? I'd be happy to work on a fix for this. |
Probably we should almost unconditionally do the dot-ectomy. It is likely to confuse most people to see it and also to cause latent bugs down the line, so probably after DNS resolution it should just be stripped. |
@Lukasa, sounds good. I'll get to work on that; the unfortunate part is that we'll probably need to store the domain twice (once for DNS purposes; once for everything else). |
Nah, let's just create a property that does the transformation for us when we need it. 😁 |
LAZY EVALUATION FOR THE LAZY DEVELOPMENT GOD |
The same issue came up on Python's bug tracker, https://bugs.python.org/issue31997 . TL;DR and IMHO urllib3 is the correct place to resolve the issue. You should use the FQDN + trailing dot for DNS lookup, then strip the trailing dot and use the clean FQDN for SNI, HTTP Host header, and hostname matching. |
@tiran yep! I've got an open PR to do that; time has just been a bit tight lately. It's on my list of things to get done very soon. |
I'm getting hostname mismatch error when I try to access a domain with a trailing dot.
Example:
Version of urllib3 I'm using
Similar request using curl seems to go fine.
Also, going to similar URL https://github.com./robots.txt on browsers Firefox and Chrome doesn't show any SSL errors (They get redirected to https://github.com/robots.txt)
The text was updated successfully, but these errors were encountered: