[issue28414] SSL match_hostname fails for internationalized domain names
New submission from Anton Sychugov:
In accordance with http://tools.ietf.org/html/rfc6125#section-6.4.2:
"If the DNS domain name portion of a reference identifier is an
internationalized domain name, then an implementation MUST convert any U-labels
[IDNA-DEFS] in the domain name to A-labels before checking the domain name."
The question is: Where in python stdlib should it to convert domain name from
U-label to A-label? Should it be in ssl._dnsname_match, e.g.:
...
hostname = hostname.encode('idna').decode('utf-8')
...
Or should it be at ssl._dnsname_match caller level?
I found that error appears after using ssl.SSLContext.wrap_bio, which in turn
uses internal newPySSLSocket, which in turn always decode server_hostname
through:
PySSLSocket *self;
...
PyObject *hostname = PyUnicode_Decode(server_hostname, strlen(server_hostname),
"idna", "strict");
...
self->server_hostname = hostname;
In this way, SSLSocket always contains U-label in its server_hostname field,
and ssl._dnsname_match falis with "ssl.CertificateError: hostname ... doesn't
match either of ..."
And i don't understand where is a bug, or is it a bug.
--
components: asyncio
messages: 278466
nosy: abracadaber, gvanrossum, yselivanov
priority: normal
severity: normal
status: open
title: SSL match_hostname fails for internationalized domain names
versions: Python 3.4, Python 3.5
___
Python tracker
<http://bugs.python.org/issue28414>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue28414] SSL match_hostname fails for internationalized domain names
Changes by Anton Sychugov : -- type: -> enhancement ___ Python tracker <http://bugs.python.org/issue28414> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue28414] SSL match_hostname fails for internationalized domain names
Changes by Anton Sychugov : -- assignee: -> christian.heimes components: +SSL nosy: +christian.heimes ___ Python tracker <http://bugs.python.org/issue28414> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue28414] SSL match_hostname fails for internationalized domain names
Anton Sychugov added the comment: Yes, I misspelled, match_hostname() fails with ssl.CertificateError. -- ___ Python tracker <http://bugs.python.org/issue28414> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue28414] SSL match_hostname fails for internationalized domain names
Anton Sychugov added the comment: Christian, thanks a lot for your comment and for patch you provide. It becomes much clearer. I'll be watching for #17305. -- ___ Python tracker <http://bugs.python.org/issue28414> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
