[issue31399] Let OpenSSL verify hostname and IP address

2021-10-07 Thread ramikg 


Change by ramikg :


--
nosy: +ramikg
nosy_count: 4.0 -> 5.0
pull_requests: +27115
pull_request: https://github.com/python/cpython/pull/28602

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue31399] Let OpenSSL verify hostname and IP address

2018-02-26 Thread Christian Heimes 

Christian Heimes  added the comment:

The feature has been implemented. I'll take care of the failing tests in #32706.

--
resolution:  -> fixed
stage: patch review -> resolved
status: open -> closed
versions: +Python 3.8

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue31399] Let OpenSSL verify hostname and IP address

2018-01-29 Thread Socob 

Change by Socob <206a8...@opayq.com>:


--
nosy: +Socob

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue31399] Let OpenSSL verify hostname and IP address

2018-01-29 Thread Christian Heimes 

Christian Heimes  added the comment:


New changeset 66e5742becce38e69a8f09e5f7051445fc57e92e by Christian Heimes in 
branch 'master':
bpo-28414: ssl module idna test (#5395)
https://github.com/python/cpython/commit/66e5742becce38e69a8f09e5f7051445fc57e92e


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue31399] Let OpenSSL verify hostname and IP address

2018-01-29 Thread STINNER Victor 

STINNER Victor  added the comment:

It seems like the commit 61d478c71c5341cdc54e6bfb4ace4252852fd972 introduced a 
regression in test_ftplib: bpo-32706. Can you please take a look?

--
nosy: +vstinner

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue31399] Let OpenSSL verify hostname and IP address

2018-01-28 Thread Christian Heimes 

Change by Christian Heimes :


--
pull_requests: +5231

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue31399] Let OpenSSL verify hostname and IP address

2018-01-27 Thread Christian Heimes 

Christian Heimes  added the comment:


New changeset 61d478c71c5341cdc54e6bfb4ace4252852fd972 by Christian Heimes in 
branch 'master':
bpo-31399: Let OpenSSL verify hostname and IP address (#3462)
https://github.com/python/cpython/commit/61d478c71c5341cdc54e6bfb4ace4252852fd972


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue31399] Let OpenSSL verify hostname and IP address

2018-01-18 Thread Christian Heimes 

Christian Heimes  added the comment:

https://github.com/libressl-portable/portable/issues/381

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue31399] Let OpenSSL verify hostname and IP address

2018-01-18 Thread Christian Heimes 

Christian Heimes  added the comment:

Bad news, LibreSSL is the worst. Even the latest release 2.6.4 does not 
implement 
https://www.openssl.org/docs/man1.0.2/crypto/X509_VERIFY_PARAM_set1_host.html 
or X509_VERIFY_PARAM_set_hostflags(). I don't get why it provides 
X509_check_host() but not X509_VERIFY_PARAM_set1_host().

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue31399] Let OpenSSL verify hostname and IP address

2017-09-15 Thread Jakub Wilk 

Changes by Jakub Wilk :


--
nosy: +jwilk

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue31399] Let OpenSSL verify hostname and IP address

2017-09-08 Thread Christian Heimes 

Changes by Christian Heimes :


--
keywords: +patch
pull_requests: +3454

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue31399] Let OpenSSL verify hostname and IP address

2017-09-08 Thread Christian Heimes 

New submission from Christian Heimes:

Python should no longer attempt to verify hostname and ip addresses itself. 
OpenSSL 1.0.2 and newer is able to verify hostname and IP addresses itself. The 
new APIs are properly hooked into chain validation step. Hostname matching 
implements RFC 6125. CN matching and partial wildcards can be tuned with 
additional. The API is documented here: 
https://www.openssl.org/docs/man1.0.2/crypto/X509_VERIFY_PARAM_set1_host.html . 
X509_VERIFY_PARAM_set1_host is available since OpenSSL 1.0.2. LibreSSL 2.5.3+ 
implement the proper bits and pieces, too.


Why should we use OpenSSL rather than matching hostnames ourselves?

In the past, OpenSSL did not contain any code to perform host name
matching. Application were required to role their own implementation.
This caused code duplication and various security issues, because
it is far from trivial to cover all edge cases. Python had multiple
security issues just caused by incorrect or buggy hostname matching:

* Until Python 3.2 and 2.7.9, the ssl module was not capable of
  performing host name matching. ``ssl.match_hostname()`` was
  introduced in 3.2.0 and later back-ported to 2.7.9.
* Issue #12000: Subject CN was ignored when a subject alternative
  name extension (SAN) was present without dNSName entries, thus
  violating RFC 2818.
* CVE-2013-2099: Multiple wildcard characters could be abused
  for Denial-of-Service attack in the re module.
* Issue #17997: RFC 2818 was superseded by RFC 6125, which no longer
  allows multiple wildcard characters. Wildcards are only supported
  in the left-most label.
* Issue #17997: ``ssl.match_hostname()`` did not implement partial
  wildcards of international domain names correctly.
* Issue #18709: The ssl module used an inappropriate OpenSSL function
  to convert host names from ASN.1 to strings. A host name with an
  embedded NULL byte could be abused to trick validation.
* Issue #17305: The ssl module does not handle IDNA 2008-encoded
  host names correctly. It converts from IDN A-label (ASCII
  compatible encoding) to IDN U-label (unicode) with Python's idna
  encoding, which is IDNA 2003-only.
* Issue #30141: The host name is not verified when a SSLSocket is
  created with ``do_handshake_on_connect=False`` and the application
  causes an implicit handshake w/o calling do_handshake() explicitly.
* A SSLSocket performs host name matching *after* the handshake and
  during the handshake. In case of an invalid host name, a client
  is suppose to abort the connection with appropriate TLS alert.
  This causes two problem. For one the server is not informed about
  a problem with the certificate. Also an invalid host name does not
  prevent the client from sending a TLS client authentication
  cert to a malicious server. The cert typically contains personal
  information like username and department.

--
assignee: christian.heimes
components: SSL
messages: 301731
nosy: christian.heimes
priority: high
severity: normal
stage: patch review
status: open
title: Let OpenSSL verify hostname and IP address
type: enhancement
versions: Python 3.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com