New submission from Christian Heimes <[email protected]>:
Since bpo #23033, ssl.match_hostname() no longer supports partial wildcard
matching, e.g. "www*.example.org". In case of a partial match, _dnsname_match()
fails with a confusing/wrong error message:
>>> import ssl
>>> ssl._dnsname_match('www*.example.com', 'www1.example.com')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File ".../cpython/Lib/ssl.py", line 198, in _dnsname_match
"wildcard can only be present in the leftmost segment: " + repr(dn))
ssl.SSLCertVerificationError: ("wildcard can only be present in the leftmost
segment: 'www*.example.com'",)
The wildcard *is* in the leftmost segment. But it's not a full match but a
partial match.
The error message applies to a SAN dNSName like "*.*.example.org" or
"www.*.example.com", however the function does not raise an error for multiple
or non left-most wildcards:
# multiple wildcards return None
>>> ssl._dnsname_match('*.*.example.com', 'www.sub.example.com')
# single wildcard in another label returns False
>>> ssl._dnsname_match('www.*.example.com', 'www.sub.example.com')
False
----------
assignee: christian.heimes
components: SSL
messages: 311996
nosy: christian.heimes
priority: normal
severity: normal
status: open
title: match_hostname() error reporting bug
type: behavior
_______________________________________
Python tracker <[email protected]>
<https://bugs.python.org/issue32819>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
