Author abracadaber
Recipients abracadaber, gvanrossum, yselivanov
Date 2016-10-11.08:02:35
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1476172956.13.0.85556243538.issue28414@psf.upfronthosting.co.za>
In-reply-to
Content
In accordance with http://tools.ietf.org/html/rfc6125#section-6.4.2:
"If the DNS domain name portion of a reference identifier is an internationalized domain name, then an implementation MUST convert any U-labels [IDNA-DEFS] in the domain name to A-labels before checking the domain name."
The question is: Where in python stdlib should it to convert domain name from U-label to A-label? Should it be in ssl._dnsname_match, e.g.:
...
hostname = hostname.encode('idna').decode('utf-8')
...
Or should it be at ssl._dnsname_match caller level?

I found that error appears after using ssl.SSLContext.wrap_bio, which in turn uses internal newPySSLSocket, which in turn always decode server_hostname through:
PySSLSocket *self;
...
PyObject *hostname = PyUnicode_Decode(server_hostname, strlen(server_hostname), "idna", "strict");
...
self->server_hostname = hostname;
In this way, SSLSocket always contains U-label in its server_hostname field, and ssl._dnsname_match falis with "ssl.CertificateError: hostname ... doesn't match either of ..."

And i don't understand where is a bug, or is it a bug.
History
Date User Action Args
2016-10-11 08:02:36abracadabersetrecipients: + abracadaber, gvanrossum, yselivanov
2016-10-11 08:02:36abracadabersetmessageid: <1476172956.13.0.85556243538.issue28414@psf.upfronthosting.co.za>
2016-10-11 08:02:36abracadaberlinkissue28414 messages
2016-10-11 08:02:35abracadabercreate