[issue28414] SSL match_hostname fails for internationalized domain names

2018-02-23 Thread Nathaniel Smith
Change by Nathaniel Smith : -- resolution: -> fixed stage: patch review -> resolved status: open -> closed ___ Python tracker ___

[issue28414] SSL match_hostname fails for internationalized domain names

2018-02-23 Thread Nathaniel Smith
Nathaniel Smith added the comment: New changeset 1c37e277190565f0e30fc9281caae4c899ac3b50 by Nathaniel J. Smith (Miss Islington (bot)) in branch '3.7': [bpo-28414] Make all hostnames in SSL module IDN A-labels (GH-5128) (GH-5843)

[issue28414] SSL match_hostname fails for internationalized domain names

2018-02-23 Thread miss-islington
Change by miss-islington : -- pull_requests: +5618 ___ Python tracker ___

[issue28414] SSL match_hostname fails for internationalized domain names

2018-02-23 Thread Nathaniel Smith
Nathaniel Smith added the comment: New changeset 11a1493bc4198f1def5e572049485779cf54dc57 by Nathaniel J. Smith (Christian Heimes) in branch 'master': [bpo-28414] Make all hostnames in SSL module IDN A-labels (GH-5128)

[issue28414] SSL match_hostname fails for internationalized domain names

2018-02-20 Thread Nathaniel Smith
Nathaniel Smith added the comment: Christian: we're less than a week out from b2. Do you need any help here? -- ___ Python tracker ___

[issue28414] SSL match_hostname fails for internationalized domain names

2018-01-29 Thread Christian Heimes
Christian Heimes added the comment: In PR https://github.com/python/cpython/pull/5395 I added a test to verify that most IDNA domains are now working. IDNA 2008 deviations and the fundamental issue of IDNA server callback and IDNA encoded server_hostname attribute are still

[issue28414] SSL match_hostname fails for internationalized domain names

2018-01-29 Thread Christian Heimes
Christian Heimes added the comment: New changeset 66e5742becce38e69a8f09e5f7051445fc57e92e by Christian Heimes in branch 'master': bpo-28414: ssl module idna test (#5395) https://github.com/python/cpython/commit/66e5742becce38e69a8f09e5f7051445fc57e92e --

[issue28414] SSL match_hostname fails for internationalized domain names

2018-01-28 Thread Ned Deily
Ned Deily added the comment: At Christian's request and considering the importance of the ssl module, I'm going to allow an extension for landing of this feature until 3.7.0b2, currently scheduled for 2018-02-26. If anyone else can help Christian get this in before b2, that

[issue28414] SSL match_hostname fails for internationalized domain names

2018-01-28 Thread Christian Heimes
Change by Christian Heimes : -- pull_requests: +5230 ___ Python tracker ___ ___

[issue28414] SSL match_hostname fails for internationalized domain names

2018-01-28 Thread Greg Lindahl
Change by Greg Lindahl : -- nosy: +wumpus ___ Python tracker ___ ___ Python-bugs-list

[issue28414] SSL match_hostname fails for internationalized domain names

2018-01-07 Thread Christian Heimes
Change by Christian Heimes : -- keywords: +patch pull_requests: +4989 stage: -> patch review ___ Python tracker ___

[issue28414] SSL match_hostname fails for internationalized domain names

2017-11-17 Thread Nick Lamb
Nick Lamb added the comment: As much for myself when I next run into this on my checklist as for any other readers: Despite the appearance of nothing happening PR 3010 (linked) actually has a little bit of momentum and seems likely to eventually land in Python.

[issue28414] SSL match_hostname fails for internationalized domain names

2017-08-07 Thread Christian Heimes
Christian Heimes added the comment: For the record, I'm now considering match_hostname() on U-Labels crazy level 'A sure sign of someone who wears his underpants on his head.'. Once upon a time I had some hope to make it work and keep server_hostname to be an IDN U-Label. I no longer think it

[issue28414] SSL match_hostname fails for internationalized domain names

2017-08-06 Thread Nathaniel Smith
Changes by Nathaniel Smith : -- pull_requests: +3043 ___ Python tracker ___ ___

[issue28414] SSL match_hostname fails for internationalized domain names

2017-08-06 Thread Nathaniel Smith
Nathaniel Smith added the comment: > I haven't dug in deeply, but it sounds like we handle IDNs in CNs and SANs > differently? No -- Python's ssl module uses exactly the same hostname checking logic in both cases, and it's equally broken regardless. But, since CAs do all kinds of weird stuff

[issue28414] SSL match_hostname fails for internationalized domain names

2017-08-06 Thread Alex Gaynor
Changes by Alex Gaynor : -- nosy: +dstufft, janssen ___ Python tracker ___ ___

[issue28414] SSL match_hostname fails for internationalized domain names

2017-08-06 Thread Alex Gaynor
Alex Gaynor added the comment: This came up on m.d.s.p. today: https://groups.google.com/d/msg/mozilla.dev.security.policy/K3sk5ZMv2DE/fx6c3WWFBgAJ I haven't dug in deeply, but it sounds like we handle IDNs in CNs and SANs differently? I think we should look for a way to solve that specific

[issue28414] SSL match_hostname fails for internationalized domain names

2017-07-18 Thread Nick Lamb
Nick Lamb added the comment: Did I miss Christian's "PEP Broadcast"? -- ___ Python tracker ___ ___

[issue28414] SSL match_hostname fails for internationalized domain names

2017-06-12 Thread Nick Lamb
Nick Lamb added the comment: I endorse njs' recommended fix here. Don't try to get clever, this is a security component, it should be the dumbest it can be possibly be while being correct, because if it's smarter it will probably be wrong. -- nosy: +tialaramex

[issue28414] SSL match_hostname fails for internationalized domain names

2017-06-08 Thread Christian Heimes
Christian Heimes added the comment: I have an idea for a different approach that can be applied to both ssl and socket module. Stay tuned to this station for a PEP broadcast! -- ___ Python tracker

[issue28414] SSL match_hostname fails for internationalized domain names

2017-06-08 Thread Nathaniel Smith
Nathaniel Smith added the comment: If the SSL module followed the pattern of encoding all str to bytes at the edges while leaving bytes alone, and used exclusively bytes internally (and in this case by "bytes" I mean "bytes objects containing A-labels"), then it would at least fix this bug

[issue28414] SSL match_hostname fails for internationalized domain names

2017-04-21 Thread Mathieu Poussin
Mathieu Poussin added the comment: Hello Christian. Is there any update about this issue ? Do we have any alternative to avoid this problem ? Thank you. -- nosy: +kedare ___ Python tracker

[issue28414] SSL match_hostname fails for internationalized domain names

2017-01-09 Thread Socob
Changes by Socob <206a8...@opayq.com>: -- nosy: +Socob ___ Python tracker ___ ___ Python-bugs-list mailing

[issue28414] SSL match_hostname fails for internationalized domain names

2016-11-02 Thread Christian Heimes
Christian Heimes added the comment: It's a big, complicated mess. I can't implement IDN support correctly because Python lacks UTS#46 and IDNA2008 support. I just found out that IDNA 2008 is not enough because it does not provide a case mapping. Lack of case mapping broke my fix for curl

[issue28414] SSL match_hostname fails for internationalized domain names

2016-10-21 Thread Yury Selivanov
Yury Selivanov added the comment: Christian, what's the status on this one? -- ___ Python tracker ___ ___

[issue28414] SSL match_hostname fails for internationalized domain names

2016-10-12 Thread Anton Sychugov
Anton Sychugov added the comment: Christian, thanks a lot for your comment and for patch you provide. It becomes much clearer. I'll be watching for #17305. -- ___ Python tracker

[issue28414] SSL match_hostname fails for internationalized domain names

2016-10-11 Thread Guido van Rossum
Changes by Guido van Rossum : -- nosy: -gvanrossum ___ Python tracker ___ ___

[issue28414] SSL match_hostname fails for internationalized domain names

2016-10-11 Thread Anton Sychugov
Anton Sychugov added the comment: Yes, I misspelled, match_hostname() fails with ssl.CertificateError. -- ___ Python tracker ___

[issue28414] SSL match_hostname fails for internationalized domain names

2016-10-11 Thread Christian Heimes
Changes by Christian Heimes : -- versions: +Python 2.7, Python 3.6, Python 3.7 -Python 3.4 ___ Python tracker ___

[issue28414] SSL match_hostname fails for internationalized domain names

2016-10-11 Thread Christian Heimes
Christian Heimes added the comment: Thanks for bringing this to my attention. I can confirm that the code is broken. Further more there are no tests for IDN for server_hostname. * server_hostname must be an IDN U-label (locälhost) * SSL handshake correctly converts and sends TLS SNI as IDN

[issue28414] SSL match_hostname fails for internationalized domain names

2016-10-11 Thread Anton Sychugov
Changes by Anton Sychugov : -- assignee: -> christian.heimes components: +SSL nosy: +christian.heimes ___ Python tracker ___

[issue28414] SSL match_hostname fails for internationalized domain names

2016-10-11 Thread Anton Sychugov
Changes by Anton Sychugov : -- type: -> enhancement ___ Python tracker ___ ___

[issue28414] SSL match_hostname fails for internationalized domain names

2016-10-11 Thread Anton Sychugov
New submission from Anton Sychugov: In accordance with http://tools.ietf.org/html/rfc6125#section-6.4.2: "If the DNS domain name portion of a reference identifier is an internationalized domain name, then an implementation MUST convert any U-labels [IDNA-DEFS] in the domain name to A-labels