diff options
| author | Mandeep Singh <daxlab@users.noreply.github.com> | 2017-11-26 22:31:27 (GMT) |
|---|---|---|
| committer | Mariatta <Mariatta@users.noreply.github.com> | 2017-11-26 22:31:27 (GMT) |
| commit | ede2ac913eba47131ee1bbc37a9aea344d678576 (patch) | |
| tree | b4270e8572769876e6da0786db280a6a0ed05639 /Lib | |
| parent | 0cd2e81bea639828d7c9a7afc61fb1da9699492c (diff) | |
| download | cpython-ede2ac913eba47131ee1bbc37a9aea344d678576.zip cpython-ede2ac913eba47131ee1bbc37a9aea344d678576.tar.gz cpython-ede2ac913eba47131ee1bbc37a9aea344d678576.tar.bz2 | |
bpo-23033: Improve SSL Certificate handling (GH-937)
Wildcard is now supported in hostname when it is one and only character in
the leftmost segment.
Diffstat (limited to 'Lib')
| -rw-r--r-- | Lib/ssl.py | 9 | ||||
| -rw-r--r-- | Lib/test/test_ssl.py | 13 |
2 files changed, 14 insertions, 8 deletions
@@ -221,7 +221,7 @@ class CertificateError(ValueError): pass -def _dnsname_match(dn, hostname, max_wildcards=1): +def _dnsname_match(dn, hostname): """Matching according to RFC 6125, section 6.4.3 http://tools.ietf.org/html/rfc6125#section-6.4.3 @@ -233,7 +233,12 @@ def _dnsname_match(dn, hostname, max_wildcards=1): leftmost, *remainder = dn.split(r'.') wildcards = leftmost.count('*') - if wildcards > max_wildcards: + if wildcards == 1 and len(leftmost) > 1: + # Only match wildcard in leftmost segment. + raise CertificateError( + "wildcard can only be present in the leftmost segment: " + repr(dn)) + + if wildcards > 1: # Issue #17980: avoid denials of service by refusing more # than one wildcard per fragment. A survey of established # policy among SSL implementations showed it to be a diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index aa2429a..c65290b 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -512,10 +512,11 @@ class BasicSocketTests(unittest.TestCase): fail(cert, 'Xa.com') fail(cert, '.a.com') - # only match one left-most wildcard + # only match wildcards when they are the only thing + # in left-most segment cert = {'subject': ((('commonName', 'f*.com'),),)} - ok(cert, 'foo.com') - ok(cert, 'f.com') + fail(cert, 'foo.com') + fail(cert, 'f.com') fail(cert, 'bar.com') fail(cert, 'foo.a.com') fail(cert, 'bar.foo.com') @@ -552,8 +553,8 @@ class BasicSocketTests(unittest.TestCase): # are supported. idna = 'www*.pythön.org'.encode("idna").decode("ascii") cert = {'subject': ((('commonName', idna),),)} - ok(cert, 'www.pythön.org'.encode("idna").decode("ascii")) - ok(cert, 'www1.pythön.org'.encode("idna").decode("ascii")) + fail(cert, 'www.pythön.org'.encode("idna").decode("ascii")) + fail(cert, 'www1.pythön.org'.encode("idna").decode("ascii")) fail(cert, 'ftp.pythön.org'.encode("idna").decode("ascii")) fail(cert, 'pythön.org'.encode("idna").decode("ascii")) @@ -637,7 +638,7 @@ class BasicSocketTests(unittest.TestCase): # Issue #17980: avoid denials of service by refusing more than one # wildcard per fragment. cert = {'subject': ((('commonName', 'a*b.com'),),)} - ok(cert, 'axxb.com') + fail(cert, 'axxb.com') cert = {'subject': ((('commonName', 'a*b.co*'),),)} fail(cert, 'axxb.com') cert = {'subject': ((('commonName', 'a*b*.com'),),)} |