Antoine Pitrou added the comment: Indeed, two wildcards seem to be ok with a 255-character domain name:
$ ./python -m timeit -s "import ssl; cert = {'subject': ((('commonName', '*a*a.com'),),)}" "try: ssl.match_hostname(cert, 'a' * 250 +'z.com')" "except ssl.CertificateError: pass" 1000 loops, best of 3: 797 usec per loop Three wildcards already start producing some load: $ ./python -m timeit -s "import ssl; cert = {'subject': ((('commonName', '*a*a*a.com'),),)}" "try: ssl.match_hostname(cert, 'a' * 250 +'z.com')" "except ssl.CertificateError: pass" 10 loops, best of 3: 66.2 msec per loop Four wildcards are more than enough for a DoS: $ ./python -m timeit -s "import ssl; cert = {'subject': ((('commonName', '*a*a*a*a.com'),),)}" "try: ssl.match_hostname(cert, 'a' * 250 +'z.com')" "except ssl.CertificateError: pass" 10 loops, best of 3: 4.12 sec per loop ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue17980> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com