Christian Heimes added the comment:
This is not a bug. It's actually the way how wildcards in X.509 certificates
work. For hostnames a wildcard only matches one label. There can only be one
wildcard and the wildcard must be in the left-most label.
https://tools.ietf.org/html/rfc6125#section-6.
New submission from Alexander Todorov:
The latest ssl.py file tries to validate hostnames vs certificates but includes
a faulty regexp which causes any wildcard domains (e.g. *.s3.amazonaws.com) to
fail validation.
Steps to Reproduce:
>>> import ssl
>>> ssl._dnsname_match("*.s3.amazonaws.com"