mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-07-07 19:35:27 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

bpo-23033: Improve SSL Certificate handling (GH-937)

Browse source 
Wildcard is now supported in hostname when it is one and only character in
the leftmost segment.
This commit is contained in:
Mandeep Singh 2017-11-27 04:01:27 +05:30 committed by Mariatta
parent 0cd2e81bea
commit ede2ac913e
5 changed files with 22 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

9
Lib/ssl.py
View file

@ -221,7 +221,7 @@ class CertificateError(ValueError):
pass
def _dnsname_match(dn, hostname, max_wildcards=1):
def _dnsname_match(dn, hostname):
"""Matching according to RFC 6125, section 6.4.3
http://tools.ietf.org/html/rfc6125#section-6.4.3
@ -233,7 +233,12 @@ def _dnsname_match(dn, hostname, max_wildcards=1):
leftmost, *remainder = dn.split(r'.')
wildcards = leftmost.count('*')
if wildcards > max_wildcards:
if wildcards == 1 and len(leftmost) > 1:
# Only match wildcard in leftmost segment.
raise CertificateError(
"wildcard can only be present in the leftmost segment: " + repr(dn))
if wildcards > 1:
# Issue #17980: avoid denials of service by refusing more
# than one wildcard per fragment. A survey of established
# policy among SSL implementations showed it to be a