diff options
| author | Christian Heimes <christian@python.org> | 2018-02-24 01:35:08 (GMT) |
|---|---|---|
| committer | Nathaniel J. Smith <njs@pobox.com> | 2018-02-24 01:35:08 (GMT) |
| commit | 11a1493bc4198f1def5e572049485779cf54dc57 (patch) | |
| tree | 8ad419e997569f9a9d05ea7e213d5092086608fa /Doc/whatsnew | |
| parent | 82ab13d756a04eab1dae58629473b95ddf363484 (diff) | |
| download | cpython-11a1493bc4198f1def5e572049485779cf54dc57.zip cpython-11a1493bc4198f1def5e572049485779cf54dc57.tar.gz cpython-11a1493bc4198f1def5e572049485779cf54dc57.tar.bz2 | |
[bpo-28414] Make all hostnames in SSL module IDN A-labels (GH-5128)
Previously, the ssl module stored international domain names (IDNs)
as U-labels. This is problematic for a number of reasons -- for
example, it made it impossible for users to use a different version
of IDNA than the one built into Python.
After this change, we always convert to A-labels as soon as possible,
and use them for all internal processing. In particular, server_hostname
attribute is now an A-label, and on the server side there's a new
sni_callback that receives the SNI servername as an A-label rather than
a U-label.
Diffstat (limited to 'Doc/whatsnew')
| -rw-r--r-- | Doc/whatsnew/3.7.rst | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/Doc/whatsnew/3.7.rst b/Doc/whatsnew/3.7.rst index 50c9238..c924f6d 100644 --- a/Doc/whatsnew/3.7.rst +++ b/Doc/whatsnew/3.7.rst @@ -662,6 +662,14 @@ ciphers that have been blocked by OpenSSL security update. Default cipher suite selection can be configured on compile time. (Contributed by Christian Heimes in :issue:`31429`.) +Added support for validating server certificates containing +internationalized domain names (IDNs). As part of this change, the +:attr:`ssl.SSLSocket.server_hostname` attribute now stores the +expected hostname in A-label form (``"xn--pythn-mua.org"``), rather +than the U-label form (``"pythön.org"``). (Contributed by +Nathaniel J. Smith and Christian Heimes in :issue:`28414`.) + + string ------ |