On Fri, 29 Dec 2017 21:54:46 +0100 Christian Heimes <christ...@python.org> wrote: > > On the other hand ssl module is currently completely broken. It converts > hostnames from bytes to text with 'idna' codec in some places, but not > in all. The SSLSocket.server_hostname attribute and callback function > SSLContext.set_servername_callback() are decoded as U-label. > Certificate's common name and subject alternative name fields are not > decoded and therefore A-labels. The *must* stay A-labels because > hostname verification is only defined in terms of A-labels. We even had > a security issue once, because partial wildcard like 'xn*.example.org' > must not match IDN hosts like 'xn--bcher-kva.example.org'. > > In issue [2] and PR [3], we all agreed that the only sensible fix is to > make 'SSLContext.server_hostname' an ASCII text A-label.
What are the changes in API terms? If I'm calling wrap_socket(), can I pass `server_hostname='straße'` and it will IDNA-encode it? Or do I have to encode it myself? If the latter, it seems like we are putting the burden of protocol compliance on users. Regards Antoine. _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
