Message 306240 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	christian.heimes
Recipients	alex, christian.heimes, dstufft, hynek, janssen, samiam
Date	2017-11-14.22:13:31
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1510697612.05.0.213398074469.issue31997@psf.upfronthosting.co.za>
In-reply-to

Content
As I explained before, the ssl module is the wrong place to address the issue. You must keep SNI TLS extension, HTTP Host header, and hostname for SAN matching in sync. Python uses the server_hostname argument for both SNI and hostname verification. The issue must be solved in HTTP layer because the HTTP layer is the only place that can affect the HTTP Host header and SNI. OpenSSL and NSS (Firefox's crypto and TLS lib) agree with me. Both don't like trailing dots in hostname either. BoringSSL's hostname verification code is based on OpenSSL's code. I'm pretty sure that Chrome handles trailing dot in a different layer, not in the actual TLS and X.509 handler. Ryan merely said that Chrome supports hostnames with trailing dot, not BoringSSL. $ /usr/lib64/nss/unsupported-tools/vfyserv www.python.org Connecting to host www.python.org (addr 151.101.112.223) on port 443 Handshake Complete: SERVER CONFIGURED CORRECTLY bulk cipher AES-128-GCM, 128 secret key bits, 128 key bits, status: 1 subject DN: CN=www.python.org,O=Python Software Foundation,L=Wolfeboro,ST=New Hampshire,C=US,postalCode=03894-4801,STREET=16 Allen Rd,serialNumber=3359300,incorporationState=Delaware,incorporationCountry=US,businessCategory=Private Organization issuer DN: CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US 0 cache hits; 0 cache misses, 0 cache not reusable ***** Connection 1 read 518 bytes total. $ /usr/lib64/nss/unsupported-tools/vfyserv www.python.org. Connecting to host www.python.org. (addr 151.101.112.223) on port 443 Error in function PR_Write: -12276 - Unable to communicate securely with peer: requested domain name does not match the server's certificate. $ openssl s_client -servername www.python.org -verify_hostname www.python.org -connect www.python.org:443 ... SSL handshake has read 4204 bytes and written 403 bytes Verification: OK Verified peername: www.python.org ... $ openssl s_client -servername www.python.org. -verify_hostname www.python.org. -connect www.python.org.:443 ... SSL handshake has read 4204 bytes and written 404 bytes Verification error: Hostname mismatch ...

As I explained before, the ssl module is the wrong place to address the issue. You *must* keep SNI TLS extension, HTTP Host header, and hostname for SAN matching in sync. Python uses the server_hostname argument for both SNI and hostname verification.

The issue must be solved in HTTP layer because the HTTP layer is the only place that can affect the HTTP Host header and SNI.

OpenSSL and NSS (Firefox's crypto and TLS lib) agree with me. Both don't like trailing dots in hostname either. BoringSSL's hostname verification code is based on OpenSSL's code. I'm pretty sure that Chrome handles trailing dot in a different layer, not in the actual TLS and X.509 handler. Ryan merely said that Chrome supports hostnames with trailing dot, not BoringSSL.

$ /usr/lib64/nss/unsupported-tools/vfyserv www.python.org
Connecting to host www.python.org (addr 151.101.112.223) on port 443
Handshake Complete: SERVER CONFIGURED CORRECTLY
bulk cipher AES-128-GCM, 128 secret key bits, 128 key bits, status: 1
subject DN:
CN=www.python.org,O=Python Software Foundation,L=Wolfeboro,ST=New Hampshire,C=US,postalCode=03894-4801,STREET=16 Allen Rd,serialNumber=3359300,incorporationState=Delaware,incorporationCountry=US,businessCategory=Private Organization
issuer DN:
CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US
0 cache hits; 0 cache misses, 0 cache not reusable
***** Connection 1 read 518 bytes total.

$ /usr/lib64/nss/unsupported-tools/vfyserv www.python.org.
Connecting to host www.python.org. (addr 151.101.112.223) on port 443
Error in function PR_Write: -12276
- Unable to communicate securely with peer: requested domain name does not match the server's certificate.

$ openssl s_client -servername www.python.org -verify_hostname www.python.org -connect www.python.org:443
...
SSL handshake has read 4204 bytes and written 403 bytes
Verification: OK
Verified peername: www.python.org
...

$ openssl s_client -servername www.python.org. -verify_hostname www.python.org. -connect www.python.org.:443
...
SSL handshake has read 4204 bytes and written 404 bytes
Verification error: Hostname mismatch
...

History
Date	User	Action	Args
2017-11-14 22:13:32	christian.heimes	set	recipients: + christian.heimes, janssen, alex, hynek, dstufft, samiam
2017-11-14 22:13:32	christian.heimes	set	messageid: <1510697612.05.0.213398074469.issue31997@psf.upfronthosting.co.za>
2017-11-14 22:13:32	christian.heimes	link	issue31997 messages
2017-11-14 22:13:31	christian.heimes	create