This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: Lib/ breaks certificate validation for wildcard domains, e.g. *
Type: behavior Stage: resolved
Components: Versions: Python 3.5, Python 2.7
Status: closed Resolution: not a bug
Dependencies: Superseder:
Assigned To: Nosy List: Alexander Todorov, christian.heimes
Priority: normal Keywords:

Created on 2015-11-24 13:37 by Alexander Todorov, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Messages (2)
msg255265 - (view) Author: Alexander Todorov (Alexander Todorov) Date: 2015-11-24 13:37
The latest file tries to validate hostnames vs certificates but includes a faulty regexp which causes any wildcard domains (e.g. * to fail validation. 

Steps to Reproduce:
>>> import ssl
>>> ssl._dnsname_match("*", "")

From Python's documentation:


    Used to indicate a set of characters. In a set:

        Special characters lose their special meaning inside sets. For example, [(+*)] will match any of the literal characters '(', '+', '*', or ')'.

^^^^^^^^^ this is the cause of the error

I've found this after an upgrade to RHEL 7.2 which contains the faulty code broke s3cmd for me. The result - one of my sites was outdated for a couple of days.

For more info and proposed patch see:

Note: As far as I can tell this affects upstream Python 2.7.10 and 3.5.0, however in the packages Red Hat distributes the code is different between 2 and 3 while upstream is more consistent.
msg255266 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2015-11-24 13:47
This is not a bug. It's actually the way how wildcards in X.509 certificates work. For hostnames a wildcard only matches one label. There can only be one wildcard and the wildcard must be in the left-most label.

This means that "*" matches "" but doesn't match "".
Date User Action Args
2022-04-11 14:58:24adminsetgithub: 69908
2015-11-24 13:47:49christian.heimessetstatus: open -> closed

type: behavior

nosy: + christian.heimes
messages: + msg255266
resolution: not a bug
stage: resolved
2015-11-24 13:37:37Alexander Todorovcreate