Issue 32819: match_hostname() error reporting bug (original) (raw)
Created on 2018-02-11 13:16 by christian.heimes, last changed 2022-04-11 14:58 by admin. This issue is now closed.
Messages (8)
Author: Christian Heimes (christian.heimes) * 
Date: 2018-02-11 13:16
Since bpo #23033, ssl.match_hostname() no longer supports partial wildcard matching, e.g. "www*.example.org". In case of a partial match, _dnsname_match() fails with a confusing/wrong error message:
import ssl ssl._dnsname_match('www*.example.com', 'www1.example.com') Traceback (most recent call last): File "", line 1, in File ".../cpython/Lib/ssl.py", line 198, in _dnsname_match "wildcard can only be present in the leftmost segment: " + repr(dn)) ssl.SSLCertVerificationError: ("wildcard can only be present in the leftmost segment: 'www*.example.com'",)
The wildcard is in the leftmost segment. But it's not a full match but a partial match.
The error message applies to a SAN dNSName like "..example.org" or "www.*.example.com", however the function does not raise an error for multiple or non left-most wildcards:
multiple wildcards return None
ssl._dnsname_match('..example.com', 'www.sub.example.com')
single wildcard in another label returns False
ssl._dnsname_match('www.*.example.com', 'www.sub.example.com') False
Author: Christian Heimes (christian.heimes) *
Date: 2018-02-24 13:36
New changeset aef1283ba428e33397d87cee3c54a5110861552d by Christian Heimes in branch 'master': bpo-32819: Simplify and improve ssl.match_hostname (#5620) https://github.com/python/cpython/commit/aef1283ba428e33397d87cee3c54a5110861552d
Author: Christian Heimes (christian.heimes) *
Date: 2018-02-24 14:06
New changeset 46632f4d3c1f3aef875d2ada750a298ab0510992 by Christian Heimes (Miss Islington (bot)) in branch '3.7': [3.7] bpo-32819: Simplify and improve ssl.match_hostname (GH-5620) (#5847) https://github.com/python/cpython/commit/46632f4d3c1f3aef875d2ada750a298ab0510992
Author: Christian Heimes (christian.heimes) *
Date: 2018-02-24 15:09
master and 3.7 are fixed.
Should I backport the issue to 2.7 and 3.6, too? It changes behavior slightly because it drops support for partial wildcards. RFC 6125 consider it an optional feature. AFAIK browsers don't match them either.
Author: Alex Gaynor (alex) *
Date: 2018-02-24 15:10
Can confirm, no browsers do partial (or multiple) wildcards and the CABF rules don't allow public CAs to issue them.
Author: Alex Gaynor (alex) *
Date: 2018-02-24 15:10
(Didn't mean to update status)
Author: Christian Heimes (christian.heimes) *
Date: 2018-02-24 15:13
Don't worry, it happens automatically when somebody replies to a pending ticket w/o closing it explicitly.
I need to backport the patch manually.
Author: Christian Heimes (christian.heimes) *
Date: 2018-02-24 15:16
I also fixed an issue for Brandon's backport, https://bitbucket.org/brandon/backports.ssl_match_hostname/issues/12/update-to-implementation-from-37
History
Date
User
Action
Args
2022-04-11 14:58:57
admin
set
github: 77000
2018-02-25 20:12:09
christian.heimes
set
status: open -> closed
resolution: fixed
stage: needs patch -> resolved
2018-02-24 15:16:36
christian.heimes
set
messages: +
2018-02-24 15:13:55
christian.heimes
set
status: pending -> open
versions: + Python 2.7, Python 3.6
messages: +
resolution: fixed -> (no value)
stage: resolved -> needs patch
2018-02-24 15:10:46
alex
set
status: open -> pending
messages: +
2018-02-24 15:10:18
alex
set
status: pending -> open
messages: +
2018-02-24 15:09:14
christian.heimes
set
status: open -> pending
versions: + Python 3.7, Python 3.8
nosy: + janssen, alex, dstufft
messages: +
resolution: fixed
stage: patch review -> resolved
2018-02-24 14:06:48
christian.heimes
set
messages: +
2018-02-24 13:37:08
miss-islington
set
pull_requests: + <pull%5Frequest5623>
2018-02-24 13:36:00
christian.heimes
set
messages: +
2018-02-11 14:58:36
christian.heimes
set
keywords: + patch
stage: patch review
pull_requests: + <pull%5Frequest5429>
2018-02-11 13:16:21
christian.heimes
create