Message278466
In accordance with http://tools.ietf.org/html/rfc6125#section-6.4.2:
"If the DNS domain name portion of a reference identifier is an internationalized domain name, then an implementation MUST convert any U-labels [IDNA-DEFS] in the domain name to A-labels before checking the domain name."
The question is: Where in python stdlib should it to convert domain name from U-label to A-label? Should it be in ssl._dnsname_match, e.g.:
...
hostname = hostname.encode('idna').decode('utf-8')
...
Or should it be at ssl._dnsname_match caller level?
I found that error appears after using ssl.SSLContext.wrap_bio, which in turn uses internal newPySSLSocket, which in turn always decode server_hostname through:
PySSLSocket *self;
...
PyObject *hostname = PyUnicode_Decode(server_hostname, strlen(server_hostname), "idna", "strict");
...
self->server_hostname = hostname;
In this way, SSLSocket always contains U-label in its server_hostname field, and ssl._dnsname_match falis with "ssl.CertificateError: hostname ... doesn't match either of ..."
And i don't understand where is a bug, or is it a bug. |
|
Date |
User |
Action |
Args |
2016-10-11 08:02:36 | abracadaber | set | recipients:
+ abracadaber, gvanrossum, yselivanov |
2016-10-11 08:02:36 | abracadaber | set | messageid: <1476172956.13.0.85556243538.issue28414@psf.upfronthosting.co.za> |
2016-10-11 08:02:36 | abracadaber | link | issue28414 messages |
2016-10-11 08:02:35 | abracadaber | create | |
|