Christian Heimes <li...@cheimes.de> added the comment: As I explained before, the ssl module is the wrong place to address the issue. You *must* keep SNI TLS extension, HTTP Host header, and hostname for SAN matching in sync. Python uses the server_hostname argument for both SNI and hostname verification.
The issue must be solved in HTTP layer because the HTTP layer is the only place that can affect the HTTP Host header and SNI. OpenSSL and NSS (Firefox's crypto and TLS lib) agree with me. Both don't like trailing dots in hostname either. BoringSSL's hostname verification code is based on OpenSSL's code. I'm pretty sure that Chrome handles trailing dot in a different layer, not in the actual TLS and X.509 handler. Ryan merely said that Chrome supports hostnames with trailing dot, not BoringSSL. $ /usr/lib64/nss/unsupported-tools/vfyserv www.python.org Connecting to host www.python.org (addr 151.101.112.223) on port 443 Handshake Complete: SERVER CONFIGURED CORRECTLY bulk cipher AES-128-GCM, 128 secret key bits, 128 key bits, status: 1 subject DN: CN=www.python.org,O=Python Software Foundation,L=Wolfeboro,ST=New Hampshire,C=US,postalCode=03894-4801,STREET=16 Allen Rd,serialNumber=3359300,incorporationState=Delaware,incorporationCountry=US,businessCategory=Private Organization issuer DN: CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US 0 cache hits; 0 cache misses, 0 cache not reusable ***** Connection 1 read 518 bytes total. $ /usr/lib64/nss/unsupported-tools/vfyserv www.python.org. Connecting to host www.python.org. (addr 151.101.112.223) on port 443 Error in function PR_Write: -12276 - Unable to communicate securely with peer: requested domain name does not match the server's certificate. $ openssl s_client -servername www.python.org -verify_hostname www.python.org -connect www.python.org:443 ... SSL handshake has read 4204 bytes and written 403 bytes Verification: OK Verified peername: www.python.org ... $ openssl s_client -servername www.python.org. -verify_hostname www.python.org. -connect www.python.org.:443 ... SSL handshake has read 4204 bytes and written 404 bytes Verification error: Hostname mismatch ... ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31997> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
