[issue17980] CVE-2013-2099 ssl.match_hostname() trips over crafted wildcard names
Antoine Pitrou
report at bugs.python.org
Thu May 16 14:33:31 CEST 2013
Antoine Pitrou added the comment:
Indeed, two wildcards seem to be ok with a 255-character domain name:
$ ./python -m timeit -s "import ssl; cert = {'subject': ((('commonName', '*a*a.com'),),)}" "try: ssl.match_hostname(cert, 'a' * 250 +'z.com')" "except ssl.CertificateError: pass"
1000 loops, best of 3: 797 usec per loop
Three wildcards already start producing some load:
$ ./python -m timeit -s "import ssl; cert = {'subject': ((('commonName', '*a*a*a.com'),),)}" "try: ssl.match_hostname(cert, 'a' * 250 +'z.com')" "except ssl.CertificateError: pass"
10 loops, best of 3: 66.2 msec per loop
Four wildcards are more than enough for a DoS:
$ ./python -m timeit -s "import ssl; cert = {'subject': ((('commonName', '*a*a*a*a.com'),),)}" "try: ssl.match_hostname(cert, 'a' * 250 +'z.com')" "except ssl.CertificateError: pass"
10 loops, best of 3: 4.12 sec per loop
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue17980>
_______________________________________
More information about the Python-bugs-list
mailing list