Message291040
Ned, Benjamin,
are you ok with a backport to 2.7 and 3.6? Substring (aka partial) matching of wildcards is a MAY feature according to RFC 6125 https://tools.ietf.org/html/rfc6125#section-6.4.3 . They are a violation of CA/B Form's baseline requirements, so no publicaly trusted cert may contain a CN or SAN entry with a partial wildcard. Several libraries and languages do not implement the feature either. Improper wildcard matching caused a bunch of security issues and CVEs in Python. |
|
Date |
User |
Action |
Args |
2017-04-02 18:06:40 | christian.heimes | set | recipients:
+ christian.heimes, rhettinger, pitrou, benjamin.peterson, ned.deily, alex, dstufft |
2017-04-02 18:06:40 | christian.heimes | set | messageid: <1491156400.24.0.723098905876.issue23033@psf.upfronthosting.co.za> |
2017-04-02 18:06:40 | christian.heimes | link | issue23033 messages |
2017-04-02 18:06:40 | christian.heimes | create | |
|