On Sunday, 6 August 2017 14:10:36 UTC+1, alex....@gmail.com  wrote:
> - Using non-IDNA encoded values in the CN, but (correctly!) IDNA encoding the 
> SAN

Note https://bugs.python.org/issue28414

At least one popular implementation of TLS in a non-browser client (the Python 
SSL implementation) requires that non-ASCII FQDNs are written out as U-labels 
in the Common Name in order to correctly match them

It can't work with A-labels because it (erroneously) transforms Punycoded names 
into U-labels before matching and as a result it can't match IDNs in SANs at 
all since these will be presented as A-labels

Christian considers the current situation "sane" but it will so far as I can 
see encourage CAs to issue these bogus certificates _and_ weaken the support 
for SANs, and we should encourage Python to get their act together and fix this.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to