<div dir="ltr">ssl.match_hostname was added in Python 2.7.9, looks like Python 2 should be fixed as well.</div><br><div class="gmail_quote"><div dir="ltr">On Sat, Dec 30, 2017 at 3:50 PM Antoine Pitrou <<a href="mailto:solipsis@pitrou.net">solipsis@pitrou.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
Thanks. So the change sounds ok to me.<br>
<br>
Regards<br>
<br>
Antoine.<br>
<br>
<br>
On Sat, 30 Dec 2017 14:34:04 +0100<br>
Christian Heimes <<a href="mailto:christian@python.org" target="_blank">christian@python.org</a>> wrote:<br>
> On 2017-12-30 11:28, Antoine Pitrou wrote:<br>
> > On Fri, 29 Dec 2017 21:54:46 +0100<br>
> > Christian Heimes <<a href="mailto:christian@python.org" target="_blank">christian@python.org</a>> wrote:<br>
> >><br>
> >> On the other hand ssl module is currently completely broken. It converts<br>
> >> hostnames from bytes to text with 'idna' codec in some places, but not<br>
> >> in all. The SSLSocket.server_hostname attribute and callback function<br>
> >> SSLContext.set_servername_callback() are decoded as U-label.<br>
> >> Certificate's common name and subject alternative name fields are not<br>
> >> decoded and therefore A-labels. The *must* stay A-labels because<br>
> >> hostname verification is only defined in terms of A-labels. We even had<br>
> >> a security issue once, because partial wildcard like 'xn*.<a href="http://example.org" rel="noreferrer" target="_blank">example.org</a>'<br>
> >> must not match IDN hosts like '<a href="http://xn--bcher-kva.example.org" rel="noreferrer" target="_blank">xn--bcher-kva.example.org</a>'.<br>
> >><br>
> >> In issue [2] and PR [3], we all agreed that the only sensible fix is to<br>
> >> make 'SSLContext.server_hostname' an ASCII text A-label.<br>
> ><br>
> > What are the changes in API terms? If I'm calling wrap_socket(), can I<br>
> > pass `server_hostname='straße'` and it will IDNA-encode it? Or do I<br>
> > have to encode it myself? If the latter, it seems like we are putting<br>
> > the burden of protocol compliance on users.<br>
><br>
> Only SSLSocket.server_hostname attribute and the hostname argument to<br>
> the SNI callback will change. Both values will be A-labels instead of<br>
> U-labels. You can still pass an U-label to the server_hostname argument<br>
> and it will be encoded with "idna" encoding.<br>
><br>
> >>> sock = ctx.wrap_socket(socket.socket(), server_hostname='<a href="http://www.strasse.de" rel="noreferrer" target="_blank">www.straße.de</a>')<br>
><br>
> Currently:<br>
> >>> sock.server_hostname<br>
> '<a href="http://www.strasse.de" rel="noreferrer" target="_blank">www.straße.de</a>'<br>
><br>
> Changed:<br>
> >>> sock.server_hostname<br>
> '<a href="http://www.strasse.de" rel="noreferrer" target="_blank">www.strasse.de</a>'<br>
><br>
> Christian<br>
><br>
> _______________________________________________<br>
> Python-Dev mailing list<br>
> <a href="mailto:Python-Dev@python.org" target="_blank">Python-Dev@python.org</a><br>
> <a href="https://mail.python.org/mailman/listinfo/python-dev" rel="noreferrer" target="_blank">https://mail.python.org/mailman/listinfo/python-dev</a><br>
> Unsubscribe: <a href="https://mail.python.org/mailman/options/python-dev/python-python-dev%40m.gmane.org" rel="noreferrer" target="_blank">https://mail.python.org/mailman/options/python-dev/python-python-dev%40m.gmane.org</a><br>
<br>
<br>
<br>
_______________________________________________<br>
Python-Dev mailing list<br>
<a href="mailto:Python-Dev@python.org" target="_blank">Python-Dev@python.org</a><br>
<a href="https://mail.python.org/mailman/listinfo/python-dev" rel="noreferrer" target="_blank">https://mail.python.org/mailman/listinfo/python-dev</a><br>
Unsubscribe: <a href="https://mail.python.org/mailman/options/python-dev/andrew.svetlov%40gmail.com" rel="noreferrer" target="_blank">https://mail.python.org/mailman/options/python-dev/andrew.svetlov%40gmail.com</a><br>
</blockquote></div><div dir="ltr">-- <br></div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>Thanks,</div>Andrew Svetlov</div></div>