Issue 25722: Lib/ssl.py breaks certificate validation for wildcard domains, e.g. *.s3.amazonaws.com (original) (raw)

The latest ssl.py file tries to validate hostnames vs certificates but includes a faulty regexp which causes any wildcard domains (e.g. *.s3.amazonaws.com) to fail validation.

Steps to Reproduce:

import ssl ssl._dnsname_match("*.s3.amazonaws.com", "planet.sofiavalley.com.s3.amazonaws.com")

From Python's documentation:

[]

Used to indicate a set of characters. In a set:

... Special characters lose their special meaning inside sets. For example, [(+)] will match any of the literal characters '(', '+', '', or ')'.

^^^^^^^^^ this is the cause of the error

I've found this after an upgrade to RHEL 7.2 which contains the faulty code broke s3cmd for me. The result - one of my sites was outdated for a couple of days.

For more info and proposed patch see: https://bugzilla.redhat.com/show_bug.cgi?id=1284916 https://bugzilla.redhat.com/show_bug.cgi?id=1284930

Note: As far as I can tell this affects upstream Python 2.7.10 and 3.5.0, however in the packages Red Hat distributes the code is different between 2 and 3 while upstream is more consistent.