Christian Heimes added the comment: Thanks for bringing this to my attention. I can confirm that the code is broken. Further more there are no tests for IDN for server_hostname.
* server_hostname must be an IDN U-label (locälhost) * SSL handshake correctly converts and sends TLS SNI as IDN A-label (xn--loclhost-2za) * getpeercert() returns DNS SAN as IDN A-label. It's less than ideal but required. * the serverhostname_callback is called with IDN U-label * match_hostname() is called with IDN U-label The bug is clearly in match_hostname(). The function fails to convert the hostname U-label to A-label before it compares the certificate. I have a rough draft of a patch here https://github.com/tiran/cpython/tree/issue28414_idna_verify By the way IDNA support in Python is broken in general, #17305. We still don't support the latest IDNA standard from 2008 (!). IDNA 2003 is not compatible with German, Greek, Farsi and Sinhalese domains, http://unicode.org/faq/idn.html. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue28414> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
