(original) (raw)

ssl.match\_hostname was added in Python 2.7.9, looks like Python 2 should be fixed as well.

On Sat, Dec 30, 2017 at 3:50 PM Antoine Pitrou <solipsis@pitrou.net> wrote:

Thanks. So the change sounds ok to me.

Regards

Antoine.

On Sat, 30 Dec 2017 14:34:04 +0100
Christian Heimes <christian@python.org> wrote:
\> On 2017-12-30 11:28, Antoine Pitrou wrote:
\> > On Fri, 29 Dec 2017 21:54:46 +0100
\> > Christian Heimes <christian@python.org> wrote:
\> >>
\> >> On the other hand ssl module is currently completely broken. It converts
\> >> hostnames from bytes to text with 'idna' codec in some places, but not
\> >> in all. The SSLSocket.server\_hostname attribute and callback function
\> >> SSLContext.set\_servername\_callback() are decoded as U-label.
\> >> Certificate's common name and subject alternative name fields are not
\> >> decoded and therefore A-labels. The \*must\* stay A-labels because
\> >> hostname verification is only defined in terms of A-labels. We even had
\> >> a security issue once, because partial wildcard like 'xn\*.example.org'
\> >> must not match IDN hosts like 'xn--bcher-kva.example.org'.
\> >>
\> >> In issue \[2\] and PR \[3\], we all agreed that the only sensible fix is to
\> >> make 'SSLContext.server\_hostname' an ASCII text A-label.
\> >
\> > What are the changes in API terms? If I'm calling wrap\_socket(), can I
\> > pass \`server\_hostname='straße'\` and it will IDNA-encode it? Or do I
\> > have to encode it myself? If the latter, it seems like we are putting
\> > the burden of protocol compliance on users.
\>
\> Only SSLSocket.server\_hostname attribute and the hostname argument to
\> the SNI callback will change. Both values will be A-labels instead of
\> U-labels. You can still pass an U-label to the server\_hostname argument
\> and it will be encoded with "idna" encoding.
\>
\> >>> sock = ctx.wrap\_socket(socket.socket(), server\_hostname='www.straße.de')
\>
\> Currently:
\> >>> sock.server\_hostname
\> 'www.straße.de'
\>
\> Changed:
\> >>> sock.server\_hostname
\> 'www.strasse.de'
\>
\> Christian
\>
\> \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
\> Python-Dev mailing list
\> Python-Dev@python.org
\> https://mail.python.org/mailman/listinfo/python-dev
\> Unsubscribe: https://mail.python.org/mailman/options/python-dev/python-python-dev%40m.gmane.org

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: https://mail.python.org/mailman/options/python-dev/andrew.svetlov%40gmail.com

Thanks,

Andrew Svetlov