[issue31997] SSL lib does not handle trailing dot (period) in hostname or certificate

Christian Heimes added the comment: I'm closing this bug as "not a bug" because it works as intended. The trailing dot has to be handled in the application layer. -- resolution: -> not a bug stage: -> resolved status: open -> closed ___ Python tra

[issue31997] SSL lib does not handle trailing dot (period) in hostname or certificate

Christian Heimes added the comment: As I explained before, the ssl module is the wrong place to address the issue. You *must* keep SNI TLS extension, HTTP Host header, and hostname for SAN matching in sync. Python uses the server_hostname argument for both SNI and hostname verification. The

[issue31997] SSL lib does not handle trailing dot (period) in hostname or certificate

Sam Napolitano added the comment: Sorry I wasn't able to get back to you sooner. If having a trailing dot in the cert is an RFC violation, then case 2 can be left alone. As for case 3, we can be more explicit: if hostname ends in a dot AND cert does not end in a dot, strip dot from hostname

[issue31997] SSL lib does not handle trailing dot (period) in hostname or certificate

Christian Heimes added the comment: Ryan said: Chrome will match both trailing dot and non-trailing dot in URL against non-trailing dot in cert. trailing dot in cert is 5280 violation by not being in preferred name syntax https://twitter.com/sleevi_/status/929305281405833216 -- versi

[issue31997] SSL lib does not handle trailing dot (period) in hostname or certificate

Christian Heimes added the comment: After more investigation and discussion with Daniel Stenberg, I'm considering to close the issue as WONTFIX + documentation update. The issue cannot be addressed in the SSL/TLS layer. I'm waiting for a reply from Ryan Sleevi on CAB baseline requirements. BR

[issue31997] SSL lib does not handle trailing dot (period) in hostname or certificate

Change by Hynek Schlawack : -- nosy: +hynek ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.pytho

[issue31997] SSL lib does not handle trailing dot (period) in hostname or certificate

Christian Heimes added the comment: Trailing dots in hostname seem to be protocol specific, e.g. SMTP does not allow them. Unless you find a RFC that mandates support for trailing dots in TLS, I'm against a change in Python's TLS stack. It's too risky to mess up SNI, too. I'd rather follow R

[issue31997] SSL lib does not handle trailing dot (period) in hostname or certificate

Christian Heimes added the comment: In the future Python will no longer use its own hostname verification code. Instead we are going to rely on OpenSSL to verify the hostname for us. A trailing dot also affects SNI. How do OpenSSL's functions SSL_set_tlsext_host_name() and X509_VERIFY_PARAM_s

[issue31997] SSL lib does not handle trailing dot (period) in hostname or certificate

New submission from Sam Napolitano : I recently came across an issue in the ssl library and have a simple fix to address it. When doing hostname verification against an X.509 certificate, a trailing dot (period) in the hostname is matched against the certificate. But the trailing dot should