Author christian.heimes
Recipients abracadaber, christian.heimes, gvanrossum, yselivanov
Date 2016-10-11.13:20:13
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1476192013.6.0.198249210962.issue28414@psf.upfronthosting.co.za>
In-reply-to
Content
Thanks for bringing this to my attention. I can confirm that the code is broken. Further more there are no tests for IDN for server_hostname.

* server_hostname must be an IDN U-label (locälhost)
* SSL handshake correctly converts and sends TLS SNI as IDN A-label (xn--loclhost-2za)
* getpeercert() returns DNS SAN as IDN A-label. It's less than ideal but required.
* the serverhostname_callback is called with IDN U-label
* match_hostname() is called with IDN U-label

The bug is clearly in match_hostname(). The function fails to convert the hostname U-label to A-label before it compares the certificate.

I have a rough draft of a patch here https://github.com/tiran/cpython/tree/issue28414_idna_verify

By the way IDNA support in Python is broken in general, #17305. We still don't support the latest IDNA standard from 2008 (!). IDNA 2003 is not compatible with German, Greek, Farsi and Sinhalese domains, http://unicode.org/faq/idn.html.
History
Date User Action Args
2016-10-11 13:20:13christian.heimessetrecipients: + christian.heimes, gvanrossum, yselivanov, abracadaber
2016-10-11 13:20:13christian.heimessetmessageid: <1476192013.6.0.198249210962.issue28414@psf.upfronthosting.co.za>
2016-10-11 13:20:13christian.heimeslinkissue28414 messages
2016-10-11 13:20:13christian.heimescreate