Christian Heimes <li...@cheimes.de> added the comment:

As I explained before, the ssl module is the wrong place to address the issue. 
You *must* keep SNI TLS extension, HTTP Host header, and hostname for SAN 
matching in sync. Python uses the server_hostname argument for both SNI and 
hostname verification.

The issue must be solved in HTTP layer because the HTTP layer is the only place 
that can affect the HTTP Host header and SNI.

OpenSSL and NSS (Firefox's crypto and TLS lib) agree with me. Both don't like 
trailing dots in hostname either. BoringSSL's hostname verification code is 
based on OpenSSL's code. I'm pretty sure that Chrome handles trailing dot in a 
different layer, not in the actual TLS and X.509 handler. Ryan merely said that 
Chrome supports hostnames with trailing dot, not BoringSSL.

$ /usr/lib64/nss/unsupported-tools/vfyserv www.python.org
Connecting to host www.python.org (addr 151.101.112.223) on port 443
Handshake Complete: SERVER CONFIGURED CORRECTLY
   bulk cipher AES-128-GCM, 128 secret key bits, 128 key bits, status: 1
   subject DN:
 CN=www.python.org,O=Python Software Foundation,L=Wolfeboro,ST=New 
Hampshire,C=US,postalCode=03894-4801,STREET=16 Allen 
Rd,serialNumber=3359300,incorporationState=Delaware,incorporationCountry=US,businessCategory=Private
 Organization
   issuer  DN:
 CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert 
Inc,C=US
   0 cache hits; 0 cache misses, 0 cache not reusable
***** Connection 1 read 518 bytes total.

$ /usr/lib64/nss/unsupported-tools/vfyserv www.python.org.
Connecting to host www.python.org. (addr 151.101.112.223) on port 443
Error in function PR_Write: -12276
 - Unable to communicate securely with peer: requested domain name does not 
match the server's certificate.


$ openssl s_client -servername www.python.org -verify_hostname www.python.org 
-connect www.python.org:443
...
SSL handshake has read 4204 bytes and written 403 bytes
Verification: OK
Verified peername: www.python.org
...

$ openssl s_client -servername www.python.org. -verify_hostname www.python.org. 
-connect www.python.org.:443
...
SSL handshake has read 4204 bytes and written 404 bytes
Verification error: Hostname mismatch
...

----------

_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue31997>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to