Author pitrou
Recipients christian.heimes, fweimer, iankko, mpessas, pitrou
Date 2013-05-16.12:33:31
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1368707611.71.0.761734577529.issue17980@psf.upfronthosting.co.za>
In-reply-to
Content
Indeed, two wildcards seem to be ok with a 255-character domain name:

$ ./python -m timeit -s "import ssl; cert = {'subject': ((('commonName', '*a*a.com'),),)}" "try: ssl.match_hostname(cert, 'a' * 250 +'z.com')" "except ssl.CertificateError: pass"
1000 loops, best of 3: 797 usec per loop

Three wildcards already start producing some load:

$ ./python -m timeit -s "import ssl; cert = {'subject': ((('commonName', '*a*a*a.com'),),)}" "try: ssl.match_hostname(cert, 'a' * 250 +'z.com')" "except ssl.CertificateError: pass"
10 loops, best of 3: 66.2 msec per loop

Four wildcards are more than enough for a DoS:

$ ./python -m timeit -s "import ssl; cert = {'subject': ((('commonName', '*a*a*a*a.com'),),)}" "try: ssl.match_hostname(cert, 'a' * 250 +'z.com')" "except ssl.CertificateError: pass"
10 loops, best of 3: 4.12 sec per loop
History
Date User Action Args
2013-05-16 12:33:31pitrousetrecipients: + pitrou, christian.heimes, iankko, fweimer, mpessas
2013-05-16 12:33:31pitrousetmessageid: <1368707611.71.0.761734577529.issue17980@psf.upfronthosting.co.za>
2013-05-16 12:33:31pitroulinkissue17980 messages
2013-05-16 12:33:31pitroucreate