[Python-Dev] [ssl] The weird case of IDNA

Andrew Svetlov andrew.svetlov at gmail.com
Sat Dec 30 09:20:27 EST 2017


ssl.match_hostname was added in Python 2.7.9, looks like Python 2 should be
fixed as well.

On Sat, Dec 30, 2017 at 3:50 PM Antoine Pitrou <solipsis at pitrou.net> wrote:

>
> Thanks.  So the change sounds ok to me.
>
> Regards
>
> Antoine.
>
>
> On Sat, 30 Dec 2017 14:34:04 +0100
> Christian Heimes <christian at python.org> wrote:
> > On 2017-12-30 11:28, Antoine Pitrou wrote:
> > > On Fri, 29 Dec 2017 21:54:46 +0100
> > > Christian Heimes <christian at python.org> wrote:
> > >>
> > >> On the other hand ssl module is currently completely broken. It
> converts
> > >> hostnames from bytes to text with 'idna' codec in some places, but not
> > >> in all. The SSLSocket.server_hostname attribute and callback function
> > >> SSLContext.set_servername_callback() are decoded as U-label.
> > >> Certificate's common name and subject alternative name fields are not
> > >> decoded and therefore A-labels. The *must* stay A-labels because
> > >> hostname verification is only defined in terms of A-labels. We even
> had
> > >> a security issue once, because partial wildcard like 'xn*.example.org
> '
> > >> must not match IDN hosts like 'xn--bcher-kva.example.org'.
> > >>
> > >> In issue [2] and PR [3], we all agreed that the only sensible fix is
> to
> > >> make 'SSLContext.server_hostname' an ASCII text A-label.
> > >
> > > What are the changes in API terms?  If I'm calling wrap_socket(), can I
> > > pass `server_hostname='straße'` and it will IDNA-encode it?  Or do I
> > > have to encode it myself?  If the latter, it seems like we are putting
> > > the burden of protocol compliance on users.
> >
> > Only SSLSocket.server_hostname attribute and the hostname argument to
> > the SNI callback will change. Both values will be A-labels instead of
> > U-labels. You can still pass an U-label to the server_hostname argument
> > and it will be encoded with "idna" encoding.
> >
> > >>> sock = ctx.wrap_socket(socket.socket(), server_hostname='
> www.straße.de <http://www.strasse.de>')
> >
> > Currently:
> > >>> sock.server_hostname
> > 'www.straße.de <http://www.strasse.de>'
> >
> > Changed:
> > >>> sock.server_hostname
> > 'www.strasse.de'
> >
> > Christian
> >
> > _______________________________________________
> > Python-Dev mailing list
> > Python-Dev at python.org
> > https://mail.python.org/mailman/listinfo/python-dev
> > Unsubscribe:
> https://mail.python.org/mailman/options/python-dev/python-python-dev%40m.gmane.org
>
>
>
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe:
> https://mail.python.org/mailman/options/python-dev/andrew.svetlov%40gmail.com
>
-- 
Thanks,
Andrew Svetlov
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20171230/8f58e078/attachment.html>


More information about the Python-Dev mailing list