Antoine Pitrou added the comment:
Indeed, two wildcards seem to be ok with a 255-character domain name:
$ ./python -m timeit -s "import ssl; cert = {'subject': ((('commonName',
'*a*a.com'),),)}" "try: ssl.match_hostname(cert, 'a' * 250 +'z.com')" "except
ssl.CertificateError: pass"
1000 loops, best of 3: 797 usec per loop
Three wildcards already start producing some load:
$ ./python -m timeit -s "import ssl; cert = {'subject': ((('commonName',
'*a*a*a.com'),),)}" "try: ssl.match_hostname(cert, 'a' * 250 +'z.com')" "except
ssl.CertificateError: pass"
10 loops, best of 3: 66.2 msec per loop
Four wildcards are more than enough for a DoS:
$ ./python -m timeit -s "import ssl; cert = {'subject': ((('commonName',
'*a*a*a*a.com'),),)}" "try: ssl.match_hostname(cert, 'a' * 250 +'z.com')"
"except ssl.CertificateError: pass"
10 loops, best of 3: 4.12 sec per loop
----------
_______________________________________
Python tracker <[email protected]>
<http://bugs.python.org/issue17980>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
