mirror of
https://github.com/python/cpython.git
synced 2024-11-27 03:45:08 +08:00
bpo-23033: Improve SSL Certificate handling (GH-937)
Wildcard is now supported in hostname when it is one and only character in the leftmost segment.
This commit is contained in:
parent
0cd2e81bea
commit
ede2ac913e
@ -429,6 +429,10 @@ Certificate handling
|
||||
Matching of IP addresses, when present in the subjectAltName field
|
||||
of the certificate, is now supported.
|
||||
|
||||
.. versionchanged:: 3.7
|
||||
Allow wildcard when it is the leftmost and the only character
|
||||
in that segment.
|
||||
|
||||
.. function:: cert_time_to_seconds(cert_time)
|
||||
|
||||
Return the time in seconds since the Epoch, given the ``cert_time``
|
||||
|
@ -221,7 +221,7 @@ class CertificateError(ValueError):
|
||||
pass
|
||||
|
||||
|
||||
def _dnsname_match(dn, hostname, max_wildcards=1):
|
||||
def _dnsname_match(dn, hostname):
|
||||
"""Matching according to RFC 6125, section 6.4.3
|
||||
|
||||
http://tools.ietf.org/html/rfc6125#section-6.4.3
|
||||
@ -233,7 +233,12 @@ def _dnsname_match(dn, hostname, max_wildcards=1):
|
||||
leftmost, *remainder = dn.split(r'.')
|
||||
|
||||
wildcards = leftmost.count('*')
|
||||
if wildcards > max_wildcards:
|
||||
if wildcards == 1 and len(leftmost) > 1:
|
||||
# Only match wildcard in leftmost segment.
|
||||
raise CertificateError(
|
||||
"wildcard can only be present in the leftmost segment: " + repr(dn))
|
||||
|
||||
if wildcards > 1:
|
||||
# Issue #17980: avoid denials of service by refusing more
|
||||
# than one wildcard per fragment. A survey of established
|
||||
# policy among SSL implementations showed it to be a
|
||||
|
@ -512,10 +512,11 @@ class BasicSocketTests(unittest.TestCase):
|
||||
fail(cert, 'Xa.com')
|
||||
fail(cert, '.a.com')
|
||||
|
||||
# only match one left-most wildcard
|
||||
# only match wildcards when they are the only thing
|
||||
# in left-most segment
|
||||
cert = {'subject': ((('commonName', 'f*.com'),),)}
|
||||
ok(cert, 'foo.com')
|
||||
ok(cert, 'f.com')
|
||||
fail(cert, 'foo.com')
|
||||
fail(cert, 'f.com')
|
||||
fail(cert, 'bar.com')
|
||||
fail(cert, 'foo.a.com')
|
||||
fail(cert, 'bar.foo.com')
|
||||
@ -552,8 +553,8 @@ class BasicSocketTests(unittest.TestCase):
|
||||
# are supported.
|
||||
idna = 'www*.pythön.org'.encode("idna").decode("ascii")
|
||||
cert = {'subject': ((('commonName', idna),),)}
|
||||
ok(cert, 'www.pythön.org'.encode("idna").decode("ascii"))
|
||||
ok(cert, 'www1.pythön.org'.encode("idna").decode("ascii"))
|
||||
fail(cert, 'www.pythön.org'.encode("idna").decode("ascii"))
|
||||
fail(cert, 'www1.pythön.org'.encode("idna").decode("ascii"))
|
||||
fail(cert, 'ftp.pythön.org'.encode("idna").decode("ascii"))
|
||||
fail(cert, 'pythön.org'.encode("idna").decode("ascii"))
|
||||
|
||||
@ -637,7 +638,7 @@ class BasicSocketTests(unittest.TestCase):
|
||||
# Issue #17980: avoid denials of service by refusing more than one
|
||||
# wildcard per fragment.
|
||||
cert = {'subject': ((('commonName', 'a*b.com'),),)}
|
||||
ok(cert, 'axxb.com')
|
||||
fail(cert, 'axxb.com')
|
||||
cert = {'subject': ((('commonName', 'a*b.co*'),),)}
|
||||
fail(cert, 'axxb.com')
|
||||
cert = {'subject': ((('commonName', 'a*b*.com'),),)}
|
||||
|
@ -1467,6 +1467,7 @@ Nathan Paul Simons
|
||||
Guilherme Simões
|
||||
Adam Simpkins
|
||||
Ravi Sinha
|
||||
Mandeep Singh
|
||||
Janne Sinkkonen
|
||||
Ng Pheng Siong
|
||||
Yann Sionneau
|
||||
|
@ -0,0 +1,3 @@
|
||||
Wildcard is now supported in hostname when it is one and only character in
|
||||
the left most segment of hostname in second argument of
|
||||
:meth:`ssl.match_hostname`. Patch by Mandeep Singh.
|
Loading…
Reference in New Issue
Block a user