mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-08-04 00:48:58 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

[bpo-28414] Make all hostnames in SSL module IDN A-labels (GH-5128)

Browse source 
Previously, the ssl module stored international domain names (IDNs)
as U-labels. This is problematic for a number of reasons -- for
example, it made it impossible for users to use a different version
of IDNA than the one built into Python.

After this change, we always convert to A-labels as soon as possible,
and use them for all internal processing. In particular, server_hostname
attribute is now an A-label, and on the server side there's a new
sni_callback that receives the SNI servername as an A-label rather than
a U-label.
This commit is contained in:
Christian Heimes 2018-02-24 02:35:08 +01:00 committed by Nathaniel J. Smith
parent 82ab13d756
commit 11a1493bc4
7 changed files with 163 additions and 111 deletions
Download patch file Download diff file Expand all files Collapse all files

40
Lib/test/test_ssl.py
View file

@ -1528,16 +1528,6 @@ class SSLErrorTests(unittest.TestCase):
# For compatibility
self.assertEqual(cm.exception.errno, ssl.SSL_ERROR_WANT_READ)
def test_bad_idna_in_server_hostname(self):
# Note: this test is testing some code that probably shouldn't exist
# in the first place, so if it starts failing at some point because
# you made the ssl module stop doing IDNA decoding then please feel
# free to remove it. The test was mainly added because this case used
# to cause memory corruption (see bpo-30594).
ctx = ssl.create_default_context()
with self.assertRaises(UnicodeError):
ctx.wrap_bio(ssl.MemoryBIO(), ssl.MemoryBIO(),
server_hostname="xn--.com")
def test_bad_server_hostname(self):
ctx = ssl.create_default_context()
@ -2634,10 +2624,10 @@ class ThreadedTests(unittest.TestCase):
if support.verbose:
sys.stdout.write("\n")
server_context = ssl.SSLContext(ssl.PROTOCOL_TLS)
server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
server_context.load_cert_chain(IDNSANSFILE)
context = ssl.SSLContext(ssl.PROTOCOL_TLS)
context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
context.verify_mode = ssl.CERT_REQUIRED
context.check_hostname = True
context.load_verify_locations(SIGNING_CA)
@ -2646,18 +2636,26 @@ class ThreadedTests(unittest.TestCase):
# different ways
idn_hostnames = [
('könig.idn.pythontest.net',
'könig.idn.pythontest.net',),
'xn--knig-5qa.idn.pythontest.net'),
('xn--knig-5qa.idn.pythontest.net',
'xn--knig-5qa.idn.pythontest.net'),
(b'xn--knig-5qa.idn.pythontest.net',
b'xn--knig-5qa.idn.pythontest.net'),
'xn--knig-5qa.idn.pythontest.net'),
('königsgäßchen.idna2003.pythontest.net',
'königsgäßchen.idna2003.pythontest.net'),
'xn--knigsgsschen-lcb0w.idna2003.pythontest.net'),
('xn--knigsgsschen-lcb0w.idna2003.pythontest.net',
'xn--knigsgsschen-lcb0w.idna2003.pythontest.net'),
(b'xn--knigsgsschen-lcb0w.idna2003.pythontest.net',
b'xn--knigsgsschen-lcb0w.idna2003.pythontest.net'),
'xn--knigsgsschen-lcb0w.idna2003.pythontest.net'),
# ('königsgäßchen.idna2008.pythontest.net',
# 'xn--knigsgchen-b4a3dun.idna2008.pythontest.net'),
('xn--knigsgchen-b4a3dun.idna2008.pythontest.net',
'xn--knigsgchen-b4a3dun.idna2008.pythontest.net'),
(b'xn--knigsgchen-b4a3dun.idna2008.pythontest.net',
'xn--knigsgchen-b4a3dun.idna2008.pythontest.net'),
]
for server_hostname, expected_hostname in idn_hostnames:
server = ThreadedEchoServer(context=server_context, chatty=True)
@ -2676,16 +2674,6 @@ class ThreadedTests(unittest.TestCase):
s.getpeercert()
self.assertEqual(s.server_hostname, expected_hostname)
# bug https://bugs.python.org/issue28414
# IDNA 2008 deviations are broken
idna2008 = 'xn--knigsgchen-b4a3dun.idna2008.pythontest.net'
server = ThreadedEchoServer(context=server_context, chatty=True)
with server:
with self.assertRaises(UnicodeError):
with context.wrap_socket(socket.socket(),
server_hostname=idna2008) as s:
s.connect((HOST, server.port))
# incorrect hostname should raise an exception
server = ThreadedEchoServer(context=server_context, chatty=True)
with server: