This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author christian.heimes
Recipients christian.heimes, pitrou
Date 2013-05-17.14:04:53
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1368799493.86.0.504478450601.issue17997@psf.upfronthosting.co.za>
In-reply-to
Content 
Python's ssl.match_hostname() does sub string matching as specified in RFC 2818:

   Names may contain the wildcard
   character * which is considered to match any single domain name
   component or component fragment. E.g., *.a.com matches foo.a.com but
   not bar.foo.a.com. f*.com matches foo.com but not bar.com.

The RFC doesn't specify how internationalized domain names shoould be handled because it predates RFC 5890 for IDNA by many year. IDNA are prefixed with "xn--", e.g. u"götter.example.de".encode("idna") == 
"xn--gtter-jua.example.de". This can result into false positive matches for a rule like "x*.example.de".

Chrome has special handling for IDN prefix in X509Certificate::VerifyHostname()
http://src.chromium.org/viewvc/chrome/trunk/src/net/cert/x509_certificate.cc

Also see #17980
History
Date User Action Args
2013-05-17 14:04:53christian.heimessetrecipients: + christian.heimes, pitrou
2013-05-17 14:04:53christian.heimessetmessageid: <1368799493.86.0.504478450601.issue17997@psf.upfronthosting.co.za>
2013-05-17 14:04:53christian.heimeslinkissue17997 messages
2013-05-17 14:04:53christian.heimescreate