This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author christian.heimes
Recipients alex, christian.heimes, dstufft, janssen, lukasz.langa, ned.deily
Date 2019-07-01.06:47:03
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1561963624.13.0.490304493984.issue37463@roundup.psfhosted.org>
In-reply-to
Content 
inet_aton accepts trailing characterrs after a valid IP (
https://bugzilla.redhat.com/show_bug.cgi?id=1347549). This, in combination with its use inside ssl.match_hostname, allows the following code to work when it should fail:

import ssl
cert = {'subjectAltName': (('IP Address', '1.1.1.1'),)}
ssl.match_hostname(cert, '1.1.1.1 ; this should not work but does')


The bug was initially found by Dominik Czarnota and reported by Paul Kehrer.

The issue was introduced in commit aef1283ba428e33397d87cee3c54a5110861552d / bpo-32819. Only 3.7 and newer are affected. It's a potential security bug although low severity. For one Python 3.7 and newer no longer use ssl.match_hostname() to verify hostnames and IP addresses of a certificate. Matching is performed by OpenSSL.
History
Date User Action Args
2019-07-01 06:47:04christian.heimessetrecipients: + christian.heimes, janssen, ned.deily, alex, lukasz.langa, dstufft
2019-07-01 06:47:04christian.heimessetmessageid: <1561963624.13.0.490304493984.issue37463@roundup.psfhosted.org>
2019-07-01 06:47:04christian.heimeslinkissue37463 messages
2019-07-01 06:47:03christian.heimescreate