Message278483
| Author |
christian.heimes |
| Recipients |
abracadaber, christian.heimes, gvanrossum, yselivanov |
| Date |
2016年10月11日.13:20:13 |
| SpamBayes Score |
-1.0 |
| Marked as misclassified |
Yes |
| Message-id |
<1476192013.6.0.198249210962.issue28414@psf.upfronthosting.co.za> |
| In-reply-to |
| Content |
Thanks for bringing this to my attention. I can confirm that the code is broken. Further more there are no tests for IDN for server_hostname.
* server_hostname must be an IDN U-label (locälhost)
* SSL handshake correctly converts and sends TLS SNI as IDN A-label (xn--loclhost-2za)
* getpeercert() returns DNS SAN as IDN A-label. It's less than ideal but required.
* the serverhostname_callback is called with IDN U-label
* match_hostname() is called with IDN U-label
The bug is clearly in match_hostname(). The function fails to convert the hostname U-label to A-label before it compares the certificate.
I have a rough draft of a patch here https://github.com/tiran/cpython/tree/issue28414_idna_verify
By the way IDNA support in Python is broken in general, #17305. We still don't support the latest IDNA standard from 2008 (!). IDNA 2003 is not compatible with German, Greek, Farsi and Sinhalese domains, http://unicode.org/faq/idn.html. |
|
History
|
|---|
| Date |
User |
Action |
Args |
| 2016年10月11日 13:20:13 | christian.heimes | set | recipients:
+ christian.heimes, gvanrossum, yselivanov, abracadaber |
| 2016年10月11日 13:20:13 | christian.heimes | set | messageid: <1476192013.6.0.198249210962.issue28414@psf.upfronthosting.co.za> |
| 2016年10月11日 13:20:13 | christian.heimes | link | issue28414 messages |
| 2016年10月11日 13:20:13 | christian.heimes | create |
|