classification
Title: Disallow support for a*.example.net, *a.example.net, and a*b.example.net in certificate wildcard handling.
Type: security Stage: resolved
Components: SSL Versions: Python 3.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: Mariatta, alex, benjamin.peterson, christian.heimes, dstufft, ned.deily, pitrou, rhettinger
Priority: normal Keywords:

Created on 2014-12-11 21:03 by dstufft, last changed 2017-11-26 22:33 by Mariatta. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 937 merged daxlab, 2017-04-01 04:59
Messages (10)
msg232493 - (view) Author: Donald Stufft (dstufft) * (Python committer) Date: 2014-12-11 21:03
Various browsers[1][2] are dropping support for wild card certificates which are anything but a single "*" alone in the left most position. The other style wildcards were deprecated previously and they should not appear in any public certificate and in the words of the Chrome project are "dang weird for internal certificates".

I believe we should follow suite and just only allow a single "*" alone in the left most segment for the SSL handling code.

[1] https://codereview.chromium.org/762013002
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1107791
msg232494 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2014-12-11 21:06
Sounds fine for me in 3.5.
msg232503 - (view) Author: Alex Gaynor (alex) * (Python committer) Date: 2014-12-11 23:54
As a part of this, we might want to consider changing the implementation to not compile the SANs into a regular expression. Constantly compiling new regexs can cause churn in the `re` cache, which can degrade performance -- also, it's probably much worse on PyPy :-)
msg275039 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2016-09-08 15:09
Sounds good to me!

For 3.7 I'm planning to use OpenSSL's hostname verification system and deprecate match_hostname(). It does support partial matching by default.
msg290994 - (view) Author: Raymond Hettinger (rhettinger) * (Python committer) Date: 2017-04-01 16:06
+1
msg291040 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2017-04-02 18:06
Ned, Benjamin,

are you ok with a backport to 2.7 and 3.6? Substring (aka partial) matching of wildcards is a MAY feature according to RFC 6125 https://tools.ietf.org/html/rfc6125#section-6.4.3 . They are a violation of CA/B Form's baseline requirements, so no publicaly trusted cert may contain a CN or SAN entry with a partial wildcard. Several libraries and languages do not implement the feature either. Improper wildcard matching caused a bunch of security issues and CVEs in Python.
msg295742 - (view) Author: Mariatta Wijaya (Mariatta) * (Python committer) Date: 2017-06-12 04:14
Can this go to 3.6.2?
msg295756 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2017-06-12 08:37
It's probably not a good idea to port it to 3.6. It's a backwards incompatible change.
msg307025 - (view) Author: Mariatta Wijaya (Mariatta) * (Python committer) Date: 2017-11-26 22:31
New changeset ede2ac913eba47131ee1bbc37a9aea344d678576 by Mariatta (Mandeep Singh) in branch 'master':
bpo-23033:  Improve SSL Certificate handling (GH-937)
https://github.com/python/cpython/commit/ede2ac913eba47131ee1bbc37a9aea344d678576
msg307026 - (view) Author: Mariatta Wijaya (Mariatta) * (Python committer) Date: 2017-11-26 22:33
I merged the PR, this is now in 3.7.
Thanks all!
History
Date User Action Args
2017-11-26 22:33:13Mariattasetstatus: open -> closed
resolution: fixed
messages: + msg307026

stage: patch review -> resolved
2017-11-26 22:31:29Mariattasetmessages: + msg307025
2017-06-12 08:37:00christian.heimessetmessages: + msg295756
2017-06-12 04:14:27Mariattasetnosy: + Mariatta

messages: + msg295742
stage: needs patch -> patch review
2017-04-02 18:06:40christian.heimessetnosy: + benjamin.peterson, ned.deily
messages: + msg291040
2017-04-01 16:06:01rhettingersetnosy: + rhettinger
messages: + msg290994
2017-04-01 04:59:28daxlabsetpull_requests: + pull_request1120
2016-09-15 07:54:43christian.heimessetassignee: christian.heimes
components: + SSL
versions: - Python 3.5, Python 3.6
2016-09-08 15:09:50christian.heimessetversions: + Python 3.6, Python 3.7
nosy: + christian.heimes

messages: + msg275039

type: security
stage: needs patch
2014-12-11 23:54:15alexsetnosy: + alex
messages: + msg232503
2014-12-11 21:06:47pitrousetnosy: + pitrou

messages: + msg232494
versions: - Python 2.7, Python 3.4, Python 3.6
2014-12-11 21:03:43dstufftcreate