[issue28414] SSL match_hostname fails for internationalized domain names
Anton Sychugov
report at bugs.python.org
Tue Oct 11 04:02:36 EDT 2016
New submission from Anton Sychugov:
In accordance with http://tools.ietf.org/html/rfc6125#section-6.4.2:
"If the DNS domain name portion of a reference identifier is an internationalized domain name, then an implementation MUST convert any U-labels [IDNA-DEFS] in the domain name to A-labels before checking the domain name."
The question is: Where in python stdlib should it to convert domain name from U-label to A-label? Should it be in ssl._dnsname_match, e.g.:
...
hostname = hostname.encode('idna').decode('utf-8')
...
Or should it be at ssl._dnsname_match caller level?
I found that error appears after using ssl.SSLContext.wrap_bio, which in turn uses internal newPySSLSocket, which in turn always decode server_hostname through:
PySSLSocket *self;
...
PyObject *hostname = PyUnicode_Decode(server_hostname, strlen(server_hostname), "idna", "strict");
...
self->server_hostname = hostname;
In this way, SSLSocket always contains U-label in its server_hostname field, and ssl._dnsname_match falis with "ssl.CertificateError: hostname ... doesn't match either of ..."
And i don't understand where is a bug, or is it a bug.
----------
components: asyncio
messages: 278466
nosy: abracadaber, gvanrossum, yselivanov
priority: normal
severity: normal
status: open
title: SSL match_hostname fails for internationalized domain names
versions: Python 3.4, Python 3.5
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue28414>
_______________________________________
More information about the Python-bugs-list
mailing list