diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst index 9b3bdd5489d..45bb65ff071 100644 --- a/Doc/library/ssl.rst +++ b/Doc/library/ssl.rst @@ -429,6 +429,10 @@ Certificate handling Matching of IP addresses, when present in the subjectAltName field of the certificate, is now supported. + .. versionchanged:: 3.7 + Allow wildcard when it is the leftmost and the only character + in that segment. + .. function:: cert_time_to_seconds(cert_time) Return the time in seconds since the Epoch, given the ``cert_time`` diff --git a/Lib/ssl.py b/Lib/ssl.py index 75caae0c440..fa83606e7cd 100644 --- a/Lib/ssl.py +++ b/Lib/ssl.py @@ -221,7 +221,7 @@ class CertificateError(ValueError): pass -def _dnsname_match(dn, hostname, max_wildcards=1): +def _dnsname_match(dn, hostname): """Matching according to RFC 6125, section 6.4.3 http://tools.ietf.org/html/rfc6125#section-6.4.3 @@ -233,7 +233,12 @@ def _dnsname_match(dn, hostname, max_wildcards=1): leftmost, *remainder = dn.split(r'.') wildcards = leftmost.count('*') - if wildcards > max_wildcards: + if wildcards == 1 and len(leftmost) > 1: + # Only match wildcard in leftmost segment. + raise CertificateError( + "wildcard can only be present in the leftmost segment: " + repr(dn)) + + if wildcards > 1: # Issue #17980: avoid denials of service by refusing more # than one wildcard per fragment. A survey of established # policy among SSL implementations showed it to be a diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index aa2429ac982..c65290b945f 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -512,10 +512,11 @@ class BasicSocketTests(unittest.TestCase): fail(cert, 'Xa.com') fail(cert, '.a.com') - # only match one left-most wildcard + # only match wildcards when they are the only thing + # in left-most segment cert = {'subject': ((('commonName', 'f*.com'),),)} - ok(cert, 'foo.com') - ok(cert, 'f.com') + fail(cert, 'foo.com') + fail(cert, 'f.com') fail(cert, 'bar.com') fail(cert, 'foo.a.com') fail(cert, 'bar.foo.com') @@ -552,8 +553,8 @@ class BasicSocketTests(unittest.TestCase): # are supported. idna = 'www*.pythön.org'.encode("idna").decode("ascii") cert = {'subject': ((('commonName', idna),),)} - ok(cert, 'www.pythön.org'.encode("idna").decode("ascii")) - ok(cert, 'www1.pythön.org'.encode("idna").decode("ascii")) + fail(cert, 'www.pythön.org'.encode("idna").decode("ascii")) + fail(cert, 'www1.pythön.org'.encode("idna").decode("ascii")) fail(cert, 'ftp.pythön.org'.encode("idna").decode("ascii")) fail(cert, 'pythön.org'.encode("idna").decode("ascii")) @@ -637,7 +638,7 @@ class BasicSocketTests(unittest.TestCase): # Issue #17980: avoid denials of service by refusing more than one # wildcard per fragment. cert = {'subject': ((('commonName', 'a*b.com'),),)} - ok(cert, 'axxb.com') + fail(cert, 'axxb.com') cert = {'subject': ((('commonName', 'a*b.co*'),),)} fail(cert, 'axxb.com') cert = {'subject': ((('commonName', 'a*b*.com'),),)} diff --git a/Misc/ACKS b/Misc/ACKS index fc7154f762e..54d8d62b633 100644 --- a/Misc/ACKS +++ b/Misc/ACKS @@ -1467,6 +1467,7 @@ Nathan Paul Simons Guilherme Simões Adam Simpkins Ravi Sinha +Mandeep Singh Janne Sinkkonen Ng Pheng Siong Yann Sionneau diff --git a/Misc/NEWS.d/next/Library/2017-11-26-17-00-52.bpo-23033.YGXRWT.rst b/Misc/NEWS.d/next/Library/2017-11-26-17-00-52.bpo-23033.YGXRWT.rst new file mode 100644 index 00000000000..cecc10aebb9 --- /dev/null +++ b/Misc/NEWS.d/next/Library/2017-11-26-17-00-52.bpo-23033.YGXRWT.rst @@ -0,0 +1,3 @@ +Wildcard is now supported in hostname when it is one and only character in +the left most segment of hostname in second argument of +:meth:`ssl.match_hostname`. Patch by Mandeep Singh.