This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author christian.heimes
Recipients christian.heimes, pitrou
Date 2013-05-17.14:04:53
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
Python's ssl.match_hostname() does sub string matching as specified in RFC 2818:

   Names may contain the wildcard
   character * which is considered to match any single domain name
   component or component fragment. E.g., * matches but
   not f*.com matches but not

The RFC doesn't specify how internationalized domain names shoould be handled because it predates RFC 5890 for IDNA by many year. IDNA are prefixed with "xn--", e.g. u"gö".encode("idna") == 
"". This can result into false positive matches for a rule like "x*".

Chrome has special handling for IDN prefix in X509Certificate::VerifyHostname()

Also see #17980
Date User Action Args
2013-05-17 14:04:53christian.heimessetrecipients: + christian.heimes, pitrou
2013-05-17 14:04:53christian.heimessetmessageid: <>
2013-05-17 14:04:53christian.heimeslinkissue17997 messages
2013-05-17 14:04:53christian.heimescreate