On Sunday, 6 August 2017 14:10:36 UTC+1, [email protected] wrote: > - Using non-IDNA encoded values in the CN, but (correctly!) IDNA encoding the > SAN
Note https://bugs.python.org/issue28414 At least one popular implementation of TLS in a non-browser client (the Python SSL implementation) requires that non-ASCII FQDNs are written out as U-labels in the Common Name in order to correctly match them It can't work with A-labels because it (erroneously) transforms Punycoded names into U-labels before matching and as a result it can't match IDNs in SANs at all since these will be presented as A-labels Christian considers the current situation "sane" but it will so far as I can see encourage CAs to issue these bogus certificates _and_ weaken the support for SANs, and we should encourage Python to get their act together and fix this. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
