This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author christian.heimes
Recipients alex, christian.heimes, dstufft, hynek, janssen, samiam
Date 2017-11-11.11:18:39
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1510399119.71.0.213398074469.issue31997@psf.upfronthosting.co.za>
In-reply-to
Content
After more investigation and discussion with Daniel Stenberg, I'm considering to close the issue as WONTFIX + documentation update. The issue cannot be addressed in the SSL/TLS layer. I'm waiting for a reply from Ryan Sleevi on CAB baseline requirements. BR 1.5.1 does not state if trailing dots are allowed.

The trailing dot issue affects more than just hostname matching. For HTTPS, server name indication (SNI) and HTTP "Host" header play an important role, too. In general the SNI TLS header and HTTP Host header must match. In case the HTTP header is missing or deviates from the SNI header, web servers like Apache fail with Bad Request error. In general SNI must also match a SAN dNSName extension.

Apache with mod_ssl strips off trailing dots internally. Daniel pointed out that other webservers (IIS) do not handle trailing dots correctly. Some protocols like SMTP do not allow trailing dot in FQDN.

IMO the problem should be handled in high level libraries such as urllib. urllib should use the FQDN with trailing dot for DNS resolution, then strip off the trailing dot and use the FQDN for HTTP Host header and server_hostname.
History
Date User Action Args
2017-11-11 11:18:39christian.heimessetrecipients: + christian.heimes, janssen, alex, hynek, dstufft, samiam
2017-11-11 11:18:39christian.heimessetmessageid: <1510399119.71.0.213398074469.issue31997@psf.upfronthosting.co.za>
2017-11-11 11:18:39christian.heimeslinkissue31997 messages
2017-11-11 11:18:39christian.heimescreate