Message 299846 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	christian.heimes
Recipients	Socob, abracadaber, alex, christian.heimes, dstufft, janssen, kedare, njs, tialaramex, yselivanov
Date	2017-08-07.12:23:10
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1502108591.6.0.21347746452.issue28414@psf.upfronthosting.co.za>
In-reply-to

Content
For the record, I'm now considering match_hostname() on U-Labels crazy level 'A sure sign of someone who wears his underpants on his head.'. Once upon a time I had some hope to make it work and keep server_hostname to be an IDN U-Label. I no longer think it feasible and safe at the same time. Pros: * ACE is native encoding in SNI TLSEXT. * ACE is native encoding in X509v3 SAN extension. * ACE is native encoding in DNS. * ACE is required to avoid partial wildcards on punycode ("x" must not match "xn--..."). OpenSSL's hostname verification operates on ACE. * ACE is not ambiguous, ACE -> U-label -> ACE depends on IDNA standard and settings. Cons: * Making SSLSocket.server_hostname IDN A-label instead of U-label is backwards incompatible. Self-quote from https://github.com/pyca/cryptography/issues/3357#issuecomment-318902879 --- I have been struggling with similar issues in Python's ssl module. The current implementation cannot verify and match IDN host names. It's also a bit of a mess, SNI callback and server_hostname are IDN U-labels, cert attributes are IDN A-labels. I have played with several approaches to fix the issue. So far only one approach is both simple enough to be memorable and not a potential source of security issues. It's also fully backwards compatible with ASCII-only host names. User supplied input (hostname for TCP connection, server hostname) can be specified as either IDN U-label (str), IDN A-label (aka ACE, str) or ACE bytes. Internally the socket module and SSL module use ACE bytes only. Text (str) are converted to ACE bytes using IDNA. Since ACE str are just ASCII, IDNA encoding of ACE str is equivalent to encoding with ASCII encoding. All output (SAN dNSName, SAN URI, CN, SNI callback, server_hostname attribute) are decoded as ACE strings. Since IDN is not a bijective mapping and also depends on the IDNA standard (2003, 2008, UTS46), this avoids some potential security issues. X.509 hostname verification and matching is defined on ACE, not IDN U-labels. I would rather keep them as bytes, but it wouldn't be backwards compatible. Also the aligns the SSL module with the socket module. socket.getnameinfo() decodes with ASCII, not with IDNA. The new approach will make the SSL module compatible with the external idna package and IDNA 2008. Users just have to pass in ACE bytes as server_hostname. ---

For the record, I'm now considering match_hostname() on U-Labels crazy level 'A sure sign of someone who wears his underpants on his head.'. Once upon a time I had some hope to make it work and keep server_hostname to be an IDN U-Label. I no longer think it feasible and safe at the same time.

Pros:

* ACE is native encoding in SNI TLSEXT.
* ACE is native encoding in X509v3 SAN extension.
* ACE is native encoding in DNS.
* ACE is required to avoid partial wildcards on punycode ("x*" must not match "xn--...").
* OpenSSL's hostname verification operates on ACE.
* ACE is not ambiguous, ACE -> U-label -> ACE depends on IDNA standard and settings.

Cons:

* Making SSLSocket.server_hostname IDN A-label instead of U-label is backwards incompatible.

Self-quote from https://github.com/pyca/cryptography/issues/3357#issuecomment-318902879

---
I have been struggling with similar issues in Python's ssl module. The current implementation cannot verify and match IDN host names. It's also a bit of a mess, SNI callback and server_hostname are IDN U-labels, cert attributes are IDN A-labels. I have played with several approaches to fix the issue. So far only one approach is both simple enough to be memorable and not a potential source of security issues. It's also fully backwards compatible with ASCII-only host names.

User supplied input (hostname for TCP connection, server hostname) can be specified as either IDN U-label (str), IDN A-label (aka ACE, str) or ACE bytes. Internally the socket module and SSL module use ACE bytes only. Text (str) are converted to ACE bytes using IDNA. Since ACE str are just ASCII, IDNA encoding of ACE str is equivalent to encoding with ASCII encoding.

All output (SAN dNSName, SAN URI, CN, SNI callback, server_hostname attribute) are decoded as ACE strings. Since IDN is not a bijective mapping and also depends on the IDNA standard (2003, 2008, UTS46), this avoids some potential security issues. X.509 hostname verification and matching is defined on ACE, not IDN U-labels. I would rather keep them as bytes, but it wouldn't be backwards compatible. Also the aligns the SSL module with the socket module. socket.getnameinfo() decodes with ASCII, not with IDNA.

The new approach will make the SSL module compatible with the external idna package and IDNA 2008. Users just have to pass in ACE bytes as server_hostname.
---

History
Date	User	Action	Args
2017-08-07 12:23:11	christian.heimes	set	recipients: + christian.heimes, janssen, alex, njs, yselivanov, dstufft, abracadaber, Socob, kedare, tialaramex
2017-08-07 12:23:11	christian.heimes	set	messageid: <1502108591.6.0.21347746452.issue28414@psf.upfronthosting.co.za>
2017-08-07 12:23:11	christian.heimes	link	issue28414 messages
2017-08-07 12:23:10	christian.heimes	create