[issue29824] Hostname validation in SSL match_hostname()

Christian Heimes added the comment: Thanks Alex! Let's get not in the business to verify TLDs. -- resolution: -> wont fix stage: -> resolved status: open -> closed ___ Python tracker

[issue29824] Hostname validation in SSL match_hostname()

Alex Gaynor added the comment: An additional problem in (2) is that a cert for *.google _is_ legal if the CA can prove that a single organization controls the entire TLD: https://crt.sh/?id=7668286 -- nosy: +Alex Gaynor ___ Python tracker

[issue29824] Hostname validation in SSL match_hostname()

Changes by Christian Heimes : -- nosy: +alex, dstufft, janssen ___ Python tracker ___ ___

[issue29824] Hostname validation in SSL match_hostname()

Christian Heimes added the comment: I don't see 1) as a problem. You won't be able to resolve these names in DNS, would you? Regarding 2). Yes, it would be beneficial to have more elaborate checks to protect against wildcard attacks like *.com. However Python is not a browser. It's really

[issue29824] Hostname validation in SSL match_hostname()

New submission from Suphannee: 1. Allowing attempting to match invalid hostname According to domain name specification in RFC 1035, only alphanumeric, dot and hyphen are valid characters in domain name. We observe that the function match_hostname() in Lib/ssl.py allows other special characters