On Sunday, 6 August 2017 14:10:36 UTC+1, alex....@gmail.com  wrote:
> - Using non-IDNA encoded values in the CN, but (correctly!) IDNA encoding the 

Note https://bugs.python.org/issue28414

At least one popular implementation of TLS in a non-browser client (the Python 
SSL implementation) requires that non-ASCII FQDNs are written out as U-labels 
in the Common Name in order to correctly match them

It can't work with A-labels because it (erroneously) transforms Punycoded names 
into U-labels before matching and as a result it can't match IDNs in SANs at 
all since these will be presented as A-labels

Christian considers the current situation "sane" but it will so far as I can 
see encourage CAs to issue these bogus certificates _and_ weaken the support 
for SANs, and we should encourage Python to get their act together and fix this.
dev-security-policy mailing list

Reply via email to