[New-bugs-announce] [issue17980] ssl.match_hostname() trips over crafted wildcard names

Florian Weimer report at bugs.python.org
Wed May 15 12:25:06 CEST 2013

New submission from Florian Weimer:

If the name in the certificate contains many "*" characters, matching the compiled regular expression against the host name can take a very long time.  Certificate validation happens before host name checking, so I think this is a minor issue only because it can only be triggered in cooperation with a CA (which seems unlikely).

The fix is to limit the number of "*" wildcards to a reasonable maximum (perhaps even 1).

components: Library (Lib)
messages: 189280
nosy: fweimer
priority: normal
severity: normal
status: open
title: ssl.match_hostname() trips over crafted wildcard names
versions: Python 3.3

Python tracker <report at bugs.python.org>

More information about the New-bugs-announce mailing list