This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author abracadaber
Recipients abracadaber, gvanrossum, yselivanov
Date 2016-10-11.08:02:35
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
In accordance with
"If the DNS domain name portion of a reference identifier is an internationalized domain name, then an implementation MUST convert any U-labels [IDNA-DEFS] in the domain name to A-labels before checking the domain name."
The question is: Where in python stdlib should it to convert domain name from U-label to A-label? Should it be in ssl._dnsname_match, e.g.:
hostname = hostname.encode('idna').decode('utf-8')
Or should it be at ssl._dnsname_match caller level?

I found that error appears after using ssl.SSLContext.wrap_bio, which in turn uses internal newPySSLSocket, which in turn always decode server_hostname through:
PySSLSocket *self;
PyObject *hostname = PyUnicode_Decode(server_hostname, strlen(server_hostname), "idna", "strict");
self->server_hostname = hostname;
In this way, SSLSocket always contains U-label in its server_hostname field, and ssl._dnsname_match falis with "ssl.CertificateError: hostname ... doesn't match either of ..."

And i don't understand where is a bug, or is it a bug.
Date User Action Args
2016-10-11 08:02:36abracadabersetrecipients: + abracadaber, gvanrossum, yselivanov
2016-10-11 08:02:36abracadabersetmessageid: <>
2016-10-11 08:02:36abracadaberlinkissue28414 messages
2016-10-11 08:02:35abracadabercreate