classification
Title: Lib/ssl.py breaks certificate validation for wildcard domains, e.g. *.s3.amazonaws.com
Type: behavior Stage: resolved
Components: Versions: Python 3.5, Python 2.7
process
Status: closed Resolution: not a bug
Dependencies: Superseder:
Assigned To: Nosy List: Alexander Todorov, christian.heimes
Priority: normal Keywords:

Created on 2015-11-24 13:37 by Alexander Todorov, last changed 2015-11-24 13:47 by christian.heimes. This issue is now closed.

Messages (2)
msg255265 - (view) Author: Alexander Todorov (Alexander Todorov) Date: 2015-11-24 13:37
The latest ssl.py file tries to validate hostnames vs certificates but includes a faulty regexp which causes any wildcard domains (e.g. *.s3.amazonaws.com) to fail validation. 

Steps to Reproduce:
>>> import ssl
>>> ssl._dnsname_match("*.s3.amazonaws.com", "planet.sofiavalley.com.s3.amazonaws.com")
>>> 

From Python's documentation:

[]

    Used to indicate a set of characters. In a set:

...
        Special characters lose their special meaning inside sets. For example, [(+*)] will match any of the literal characters '(', '+', '*', or ')'.


^^^^^^^^^ this is the cause of the error

I've found this after an upgrade to RHEL 7.2 which contains the faulty code broke s3cmd for me. The result - one of my sites was outdated for a couple of days.

For more info and proposed patch see:
https://bugzilla.redhat.com/show_bug.cgi?id=1284916
https://bugzilla.redhat.com/show_bug.cgi?id=1284930

Note: As far as I can tell this affects upstream Python 2.7.10 and 3.5.0, however in the packages Red Hat distributes the code is different between 2 and 3 while upstream is more consistent.
msg255266 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2015-11-24 13:47
This is not a bug. It's actually the way how wildcards in X.509 certificates work. For hostnames a wildcard only matches one label. There can only be one wildcard and the wildcard must be in the left-most label. https://tools.ietf.org/html/rfc6125#section-6.4.3

This means that "*.s3.amazonaws.com" matches "com.s3.amazonaws.com" but doesn't match "planet.sofiavalley.com.s3.amazonaws.com".
History
Date User Action Args
2015-11-24 13:47:49christian.heimessetstatus: open -> closed

type: behavior

nosy: + christian.heimes
messages: + msg255266
resolution: not a bug
stage: resolved
2015-11-24 13:37:37Alexander Todorovcreate