bpo-23033: Improve SSL Certificate handling (GH-937)

Wildcard is now supported in hostname when it is one and only character in the leftmost segment.
author: Mandeep Singh <daxlab@users.noreply.github.com> 2017-11-27 04:01:27 +0530
committer: Mariatta <Mariatta@users.noreply.github.com> 2017-11-26 14:31:27 -0800
commit: ede2ac913eba47131ee1bbc37a9aea344d678576 (patch)
tree: b4270e8572769876e6da0786db280a6a0ed05639 /Lib/ssl.py
parent: 0cd2e81bea639828d7c9a7afc61fb1da9699492c (diff)
download: cpython-git-ede2ac913eba47131ee1bbc37a9aea344d678576.tar.gz
1 files changed, 7 insertions, 2 deletions
diff --git a/Lib/ssl.py b/Lib/ssl.py
index 75caae0c44..fa83606e7c 100644
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -221,7 +221,7 @@ class CertificateError(ValueError):
     pass
 
 
-def _dnsname_match(dn, hostname, max_wildcards=1):
+def _dnsname_match(dn, hostname):
     """Matching according to RFC 6125, section 6.4.3
 
     http://tools.ietf.org/html/rfc6125#section-6.4.3
@@ -233,7 +233,12 @@ def _dnsname_match(dn, hostname, max_wildcards=1):
     leftmost, *remainder = dn.split(r'.')
 
     wildcards = leftmost.count('*')
-    if wildcards > max_wildcards:
+    if wildcards == 1 and len(leftmost) > 1:
+        # Only match wildcard in leftmost segment.
+        raise CertificateError(
+            "wildcard can only be present in the leftmost segment: " + repr(dn))
+
+    if wildcards > 1:
         # Issue #17980: avoid denials of service by refusing more
         # than one wildcard per fragment.  A survey of established
         # policy among SSL implementations showed it to be a
author	Mandeep Singh <daxlab@users.noreply.github.com>	2017-11-27 04:01:27 +0530
committer	Mariatta <Mariatta@users.noreply.github.com>	2017-11-26 14:31:27 -0800
commit	ede2ac913eba47131ee1bbc37a9aea344d678576 (patch)
tree	b4270e8572769876e6da0786db280a6a0ed05639 /Lib/ssl.py
parent	0cd2e81bea639828d7c9a7afc61fb1da9699492c (diff)
download	cpython-git-ede2ac913eba47131ee1bbc37a9aea344d678576.tar.gz