ssl.match_hostname was added in Python 2.7.9, looks like Python 2 should be fixed as well.
On Sat, Dec 30, 2017 at 3:50 PM Antoine Pitrou <solip...@pitrou.net> wrote: > > Thanks. So the change sounds ok to me. > > Regards > > Antoine. > > > On Sat, 30 Dec 2017 14:34:04 +0100 > Christian Heimes <christ...@python.org> wrote: > > On 2017-12-30 11:28, Antoine Pitrou wrote: > > > On Fri, 29 Dec 2017 21:54:46 +0100 > > > Christian Heimes <christ...@python.org> wrote: > > >> > > >> On the other hand ssl module is currently completely broken. It > converts > > >> hostnames from bytes to text with 'idna' codec in some places, but not > > >> in all. The SSLSocket.server_hostname attribute and callback function > > >> SSLContext.set_servername_callback() are decoded as U-label. > > >> Certificate's common name and subject alternative name fields are not > > >> decoded and therefore A-labels. The *must* stay A-labels because > > >> hostname verification is only defined in terms of A-labels. We even > had > > >> a security issue once, because partial wildcard like 'xn*.example.org > ' > > >> must not match IDN hosts like 'xn--bcher-kva.example.org'. > > >> > > >> In issue [2] and PR [3], we all agreed that the only sensible fix is > to > > >> make 'SSLContext.server_hostname' an ASCII text A-label. > > > > > > What are the changes in API terms? If I'm calling wrap_socket(), can I > > > pass `server_hostname='straße'` and it will IDNA-encode it? Or do I > > > have to encode it myself? If the latter, it seems like we are putting > > > the burden of protocol compliance on users. > > > > Only SSLSocket.server_hostname attribute and the hostname argument to > > the SNI callback will change. Both values will be A-labels instead of > > U-labels. You can still pass an U-label to the server_hostname argument > > and it will be encoded with "idna" encoding. > > > > >>> sock = ctx.wrap_socket(socket.socket(), server_hostname=' > www.straße.de <http://www.strasse.de>') > > > > Currently: > > >>> sock.server_hostname > > 'www.straße.de <http://www.strasse.de>' > > > > Changed: > > >>> sock.server_hostname > > 'www.strasse.de' > > > > Christian > > > > _______________________________________________ > > Python-Dev mailing list > > Python-Dev@python.org > > https://mail.python.org/mailman/listinfo/python-dev > > Unsubscribe: > https://mail.python.org/mailman/options/python-dev/python-python-dev%40m.gmane.org > > > > _______________________________________________ > Python-Dev mailing list > Python-Dev@python.org > https://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: > https://mail.python.org/mailman/options/python-dev/andrew.svetlov%40gmail.com > -- Thanks, Andrew Svetlov
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
