This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: match_hostname() error reporting bug
Type: behavior Stage: resolved
Components: SSL Versions: Python 3.8, Python 3.7, Python 3.6, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: alex, christian.heimes, dstufft, janssen
Priority: normal Keywords: patch

Created on 2018-02-11 13:16 by christian.heimes, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 5620 merged christian.heimes, 2018-02-11 14:58
PR 5847 merged miss-islington, 2018-02-24 13:37
Messages (8)
msg311996 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2018-02-11 13:16 
Since bpo #23033, ssl.match_hostname() no longer supports partial wildcard matching, e.g. "www*.example.org". In case of a partial match, _dnsname_match() fails with a confusing/wrong error message:

>>> import ssl
>>> ssl._dnsname_match('www*.example.com', 'www1.example.com')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File ".../cpython/Lib/ssl.py", line 198, in _dnsname_match
    "wildcard can only be present in the leftmost segment: " + repr(dn))
ssl.SSLCertVerificationError: ("wildcard can only be present in the leftmost segment: 'www*.example.com'",)

The wildcard *is* in the leftmost segment. But it's not a full match but a partial match.

The error message applies to a SAN dNSName like "*.*.example.org" or "www.*.example.com",  however the function does not raise an error for multiple or non left-most wildcards:

# multiple wildcards return None
>>> ssl._dnsname_match('*.*.example.com', 'www.sub.example.com')
# single wildcard in another label returns False
>>> ssl._dnsname_match('www.*.example.com', 'www.sub.example.com')
False
msg312712 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2018-02-24 13:36 
New changeset aef1283ba428e33397d87cee3c54a5110861552d by Christian Heimes in branch 'master':
bpo-32819: Simplify and improve ssl.match_hostname (#5620)
https://github.com/python/cpython/commit/aef1283ba428e33397d87cee3c54a5110861552d
msg312714 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2018-02-24 14:06 
New changeset 46632f4d3c1f3aef875d2ada750a298ab0510992 by Christian Heimes (Miss Islington (bot)) in branch '3.7':
[3.7] bpo-32819: Simplify and improve ssl.match_hostname (GH-5620) (#5847)
https://github.com/python/cpython/commit/46632f4d3c1f3aef875d2ada750a298ab0510992
msg312721 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2018-02-24 15:09 
master and 3.7 are fixed.

Should I backport the issue to 2.7 and 3.6, too? It changes behavior slightly because it drops support for partial wildcards. RFC 6125 consider it an optional feature. AFAIK browsers don't match them either.
msg312722 - (view) Author: Alex Gaynor (alex) * (Python committer) Date: 2018-02-24 15:10 
Can confirm, no browsers do partial (or multiple) wildcards and the CABF rules don't allow public CAs to issue them.
msg312723 - (view) Author: Alex Gaynor (alex) * (Python committer) Date: 2018-02-24 15:10 
(Didn't mean to update status)
msg312724 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2018-02-24 15:13 
Don't worry, it happens automatically when somebody replies to a pending ticket w/o closing it explicitly.

I need to backport the patch manually.
msg312725 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2018-02-24 15:16 
I also fixed an issue for Brandon's backport, https://bitbucket.org/brandon/backports.ssl_match_hostname/issues/12/update-to-implementation-from-37
History
Date User Action Args
2022-04-11 14:58:57adminsetgithub: 77000
2018-02-25 20:12:09christian.heimessetstatus: open -> closed
resolution: fixed
stage: needs patch -> resolved
2018-02-24 15:16:36christian.heimessetmessages: + msg312725
2018-02-24 15:13:55christian.heimessetstatus: pending -> open
versions: + Python 2.7, Python 3.6
messages: + msg312724

resolution: fixed -> (no value)
stage: resolved -> needs patch
2018-02-24 15:10:46alexsetstatus: open -> pending

messages: + msg312723
2018-02-24 15:10:18alexsetstatus: pending -> open

messages: + msg312722
2018-02-24 15:09:14christian.heimessetstatus: open -> pending

versions: + Python 3.7, Python 3.8
nosy: + janssen, alex, dstufft

messages: + msg312721
resolution: fixed
stage: patch review -> resolved
2018-02-24 14:06:48christian.heimessetmessages: + msg312714
2018-02-24 13:37:08miss-islingtonsetpull_requests: + pull_request5623
2018-02-24 13:36:00christian.heimessetmessages: + msg312712
2018-02-11 14:58:36christian.heimessetkeywords: + patch
stage: patch review
pull_requests: + pull_request5429
2018-02-11 13:16:21christian.heimescreate