subject:"\[issue25722\] Lib\/ssl.py breaks certificate validation for wildcard domains, e.g. \*.s3.amazonaws.com"

[issue25722] Lib/ssl.py breaks certificate validation for wildcard domains, e.g. *.s3.amazonaws.com

2015-11-24 Thread Alexander Todorov


New submission from Alexander Todorov:

The latest ssl.py file tries to validate hostnames vs certificates but includes 
a faulty regexp which causes any wildcard domains (e.g. *.s3.amazonaws.com) to 
fail validation. 

Steps to Reproduce:
>>> import ssl
>>> ssl._dnsname_match("*.s3.amazonaws.com", 
>>> "planet.sofiavalley.com.s3.amazonaws.com")
>>> 

>From Python's documentation:

[]

Used to indicate a set of characters. In a set:

...
Special characters lose their special meaning inside sets. For example, 
[(+*)] will match any of the literal characters '(', '+', '*', or ')'.


^ this is the cause of the error

I've found this after an upgrade to RHEL 7.2 which contains the faulty code 
broke s3cmd for me. The result - one of my sites was outdated for a couple of 
days.

For more info and proposed patch see:
https://bugzilla.redhat.com/show_bug.cgi?id=1284916
https://bugzilla.redhat.com/show_bug.cgi?id=1284930

Note: As far as I can tell this affects upstream Python 2.7.10 and 3.5.0, 
however in the packages Red Hat distributes the code is different between 2 and 
3 while upstream is more consistent.

--
messages: 255265
nosy: Alexander Todorov
priority: normal
severity: normal
status: open
title: Lib/ssl.py breaks certificate validation for wildcard domains, e.g. 
*.s3.amazonaws.com
versions: Python 2.7, Python 3.5

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25722] Lib/ssl.py breaks certificate validation for wildcard domains, e.g. *.s3.amazonaws.com

2015-11-24 Thread Christian Heimes


Christian Heimes added the comment:

This is not a bug. It's actually the way how wildcards in X.509 certificates 
work. For hostnames a wildcard only matches one label. There can only be one 
wildcard and the wildcard must be in the left-most label. 
https://tools.ietf.org/html/rfc6125#section-6.4.3

This means that "*.s3.amazonaws.com" matches "com.s3.amazonaws.com" but doesn't 
match "planet.sofiavalley.com.s3.amazonaws.com".

--
nosy: +christian.heimes
resolution:  -> not a bug
stage:  -> resolved
status: open -> closed
type:  -> behavior

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25722] Lib/ssl.py breaks certificate validation for wildcard domains, e.g. *.s3.amazonaws.com

[issue25722] Lib/ssl.py breaks certificate validation for wildcard domains, e.g. *.s3.amazonaws.com

2 matches

Site Navigation

Mail list logo

Footer information