ssl.match_hostname was added in Python 2.7.9, looks like Python 2 should be
fixed as well.

On Sat, Dec 30, 2017 at 3:50 PM Antoine Pitrou <solip...@pitrou.net> wrote:

>
> Thanks.  So the change sounds ok to me.
>
> Regards
>
> Antoine.
>
>
> On Sat, 30 Dec 2017 14:34:04 +0100
> Christian Heimes <christ...@python.org> wrote:
> > On 2017-12-30 11:28, Antoine Pitrou wrote:
> > > On Fri, 29 Dec 2017 21:54:46 +0100
> > > Christian Heimes <christ...@python.org> wrote:
> > >>
> > >> On the other hand ssl module is currently completely broken. It
> converts
> > >> hostnames from bytes to text with 'idna' codec in some places, but not
> > >> in all. The SSLSocket.server_hostname attribute and callback function
> > >> SSLContext.set_servername_callback() are decoded as U-label.
> > >> Certificate's common name and subject alternative name fields are not
> > >> decoded and therefore A-labels. The *must* stay A-labels because
> > >> hostname verification is only defined in terms of A-labels. We even
> had
> > >> a security issue once, because partial wildcard like 'xn*.example.org
> '
> > >> must not match IDN hosts like 'xn--bcher-kva.example.org'.
> > >>
> > >> In issue [2] and PR [3], we all agreed that the only sensible fix is
> to
> > >> make 'SSLContext.server_hostname' an ASCII text A-label.
> > >
> > > What are the changes in API terms?  If I'm calling wrap_socket(), can I
> > > pass `server_hostname='straße'` and it will IDNA-encode it?  Or do I
> > > have to encode it myself?  If the latter, it seems like we are putting
> > > the burden of protocol compliance on users.
> >
> > Only SSLSocket.server_hostname attribute and the hostname argument to
> > the SNI callback will change. Both values will be A-labels instead of
> > U-labels. You can still pass an U-label to the server_hostname argument
> > and it will be encoded with "idna" encoding.
> >
> > >>> sock = ctx.wrap_socket(socket.socket(), server_hostname='
> www.straße.de <http://www.strasse.de>')
> >
> > Currently:
> > >>> sock.server_hostname
> > 'www.straße.de <http://www.strasse.de>'
> >
> > Changed:
> > >>> sock.server_hostname
> > 'www.strasse.de'
> >
> > Christian
> >
> > _______________________________________________
> > Python-Dev mailing list
> > Python-Dev@python.org
> > https://mail.python.org/mailman/listinfo/python-dev
> > Unsubscribe:
> https://mail.python.org/mailman/options/python-dev/python-python-dev%40m.gmane.org
>
>
>
> _______________________________________________
> Python-Dev mailing list
> Python-Dev@python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe:
> https://mail.python.org/mailman/options/python-dev/andrew.svetlov%40gmail.com
>
-- 
Thanks,
Andrew Svetlov
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Reply via email to