New submission from Anton Sychugov: In accordance with http://tools.ietf.org/html/rfc6125#section-6.4.2: "If the DNS domain name portion of a reference identifier is an internationalized domain name, then an implementation MUST convert any U-labels [IDNA-DEFS] in the domain name to A-labels before checking the domain name." The question is: Where in python stdlib should it to convert domain name from U-label to A-label? Should it be in ssl._dnsname_match, e.g.: ... hostname = hostname.encode('idna').decode('utf-8') ... Or should it be at ssl._dnsname_match caller level?
I found that error appears after using ssl.SSLContext.wrap_bio, which in turn uses internal newPySSLSocket, which in turn always decode server_hostname through: PySSLSocket *self; ... PyObject *hostname = PyUnicode_Decode(server_hostname, strlen(server_hostname), "idna", "strict"); ... self->server_hostname = hostname; In this way, SSLSocket always contains U-label in its server_hostname field, and ssl._dnsname_match falis with "ssl.CertificateError: hostname ... doesn't match either of ..." And i don't understand where is a bug, or is it a bug. ---------- components: asyncio messages: 278466 nosy: abracadaber, gvanrossum, yselivanov priority: normal severity: normal status: open title: SSL match_hostname fails for internationalized domain names versions: Python 3.4, Python 3.5 _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue28414> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
