Message189454
Python's ssl.match_hostname() does sub string matching as specified in RFC 2818:
Names may contain the wildcard
character * which is considered to match any single domain name
component or component fragment. E.g., *.a.com matches foo.a.com but
not bar.foo.a.com. f*.com matches foo.com but not bar.com.
The RFC doesn't specify how internationalized domain names shoould be handled because it predates RFC 5890 for IDNA by many year. IDNA are prefixed with "xn--", e.g. u"götter.example.de".encode("idna") ==
"xn--gtter-jua.example.de". This can result into false positive matches for a rule like "x*.example.de".
Chrome has special handling for IDN prefix in X509Certificate::VerifyHostname()
http://src.chromium.org/viewvc/chrome/trunk/src/net/cert/x509_certificate.cc
Also see #17980 |
|
Date |
User |
Action |
Args |
2013-05-17 14:04:53 | christian.heimes | set | recipients:
+ christian.heimes, pitrou |
2013-05-17 14:04:53 | christian.heimes | set | messageid: <1368799493.86.0.504478450601.issue17997@psf.upfronthosting.co.za> |
2013-05-17 14:04:53 | christian.heimes | link | issue17997 messages |
2013-05-17 14:04:53 | christian.heimes | create | |
|