This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author christian.heimes
Recipients christian.heimes
Date 2018-02-11.13:16:20
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1518354981.31.0.467229070634.issue32819@psf.upfronthosting.co.za>
In-reply-to
Content 
Since bpo #23033, ssl.match_hostname() no longer supports partial wildcard matching, e.g. "www*.example.org". In case of a partial match, _dnsname_match() fails with a confusing/wrong error message:

>>> import ssl
>>> ssl._dnsname_match('www*.example.com', 'www1.example.com')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File ".../cpython/Lib/ssl.py", line 198, in _dnsname_match
    "wildcard can only be present in the leftmost segment: " + repr(dn))
ssl.SSLCertVerificationError: ("wildcard can only be present in the leftmost segment: 'www*.example.com'",)

The wildcard *is* in the leftmost segment. But it's not a full match but a partial match.

The error message applies to a SAN dNSName like "*.*.example.org" or "www.*.example.com",  however the function does not raise an error for multiple or non left-most wildcards:

# multiple wildcards return None
>>> ssl._dnsname_match('*.*.example.com', 'www.sub.example.com')
# single wildcard in another label returns False
>>> ssl._dnsname_match('www.*.example.com', 'www.sub.example.com')
False
History
Date User Action Args
2018-02-11 13:16:21christian.heimessetrecipients: + christian.heimes
2018-02-11 13:16:21christian.heimessetmessageid: <1518354981.31.0.467229070634.issue32819@psf.upfronthosting.co.za>
2018-02-11 13:16:21christian.heimeslinkissue32819 messages
2018-02-11 13:16:20christian.heimescreate