Message 289708 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	ssivakorn
Recipients	christian.heimes, ssivakorn
Date	2017-03-16.08:03:28
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1489651409.35.0.325138165365.issue29824@psf.upfronthosting.co.za>
In-reply-to

Content
1. Allowing attempting to match invalid hostname According to domain name specification in RFC 1035, only alphanumeric, dot and hyphen are valid characters in domain name. We observe that the function match_hostname() in Lib/ssl.py allows other special characters (e.g., '=', '&') in hostname when attempting to match with certificate commonName (CN)/subjectAltName DNS. An example would be matching hostname "example.a=.com" with certificate CN/DNS "example.a=.com" or CN/DNS ".a=.example.com". Ensuring that CN/DNS with invalid characters are rejected, will make the library more robust against attacks that utilize such characters. 2. Matching wildcard in public suffix As noted in section 7.2 of RFC 6125, some wildcard location specifications are not clear. We found that the function allows wildcard over public suffix in certificate as well as allows attempting to match in hostname verification, e.g., matches hostname "google.com" and "example.com" with certificate CN/DNS ".com". This is not an RFC violation, but we might benefit from implementing the check, for example "*.one_label" is restricted. A better option will be having a list of all TLD's and check against it. Thanks.

1. Allowing attempting to match invalid hostname
According to domain name specification in RFC 1035, only alphanumeric, dot and
hyphen are valid characters in domain name. We observe that
the function match_hostname() in Lib/ssl.py allows other special characters (e.g., '=', '&') in hostname when attempting to match with certificate commonName (CN)/subjectAltName DNS. An example would be matching hostname
"example.a=.com" with certificate CN/DNS "example.a=.com" or CN/DNS "*.a=.example.com". Ensuring that CN/DNS with invalid characters are rejected, will make the library more robust against attacks that utilize such characters.

2. Matching wildcard in public suffix
As noted in section 7.2 of RFC 6125, some wildcard location specifications are
not clear. We found that the function allows wildcard over public suffix in
certificate as well as allows attempting to match in hostname verification,
e.g., matches hostname "google.com" and "example.com" with
certificate CN/DNS "*.com". This is not an RFC violation, but we might benefit from implementing the check, for example "*.one_label" is restricted. A better option will be having a list of all TLD's and check against it.

Thanks.

History
Date	User	Action	Args
2017-03-16 08:03:29	ssivakorn	set	recipients: + ssivakorn, christian.heimes
2017-03-16 08:03:29	ssivakorn	set	messageid: <1489651409.35.0.325138165365.issue29824@psf.upfronthosting.co.za>
2017-03-16 08:03:29	ssivakorn	link	issue29824 messages
2017-03-16 08:03:28	ssivakorn	create