Message189366
Indeed, two wildcards seem to be ok with a 255-character domain name:
$ ./python -m timeit -s "import ssl; cert = {'subject': ((('commonName', '*a*a.com'),),)}" "try: ssl.match_hostname(cert, 'a' * 250 +'z.com')" "except ssl.CertificateError: pass"
1000 loops, best of 3: 797 usec per loop
Three wildcards already start producing some load:
$ ./python -m timeit -s "import ssl; cert = {'subject': ((('commonName', '*a*a*a.com'),),)}" "try: ssl.match_hostname(cert, 'a' * 250 +'z.com')" "except ssl.CertificateError: pass"
10 loops, best of 3: 66.2 msec per loop
Four wildcards are more than enough for a DoS:
$ ./python -m timeit -s "import ssl; cert = {'subject': ((('commonName', '*a*a*a*a.com'),),)}" "try: ssl.match_hostname(cert, 'a' * 250 +'z.com')" "except ssl.CertificateError: pass"
10 loops, best of 3: 4.12 sec per loop |
|
| Date |
User |
Action |
Args |
| 2013-05-16 12:33:31 | pitrou | set | recipients:
+ pitrou, christian.heimes, iankko, fweimer, mpessas |
| 2013-05-16 12:33:31 | pitrou | set | messageid: <1368707611.71.0.761734577529.issue17980@psf.upfronthosting.co.za> |
| 2013-05-16 12:33:31 | pitrou | link | issue17980 messages |
| 2013-05-16 12:33:31 | pitrou | create | |
|
➜
