Bug 1284916
Summary: | [PATCH] Latest ssl.py breaks certificate validation for wildcard domains, e.g. *.s3.amazonaws.com | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Alexander Todorov <atodorov> | |
Component: | python | Assignee: | Matej Stuchlik <mstuchli> | |
Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE - Apps <qe-baseos-apps> | |
Severity: | low | Docs Contact: | ||
Priority: | low | |||
Version: | 7.2 | CC: | cheimes, jberan, lmiksik, mstuchli | |
Target Milestone: | rc | |||
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1284930 (view as bug list) | Environment: | ||
Last Closed: | 2015-11-24 14:50:31 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1284930 |
The code is actually correct as is -- see RFC 6125, section 6.4.3, subitem 2: If the wildcard character is the only character of the left-most label in the presented identifier, the client SHOULD NOT compare against anything but the left-most label of the reference identifier (e.g., *.example.com would match foo.example.com but not bar.foo.example.com or example.com). http://tools.ietf.org/html/rfc6125#section-6.4.3 Matej, indeed you are right, sorry for the false alarm. I've managed to track down the issue further. There's also a change in httplib.py and the calling code wasn't aware of that. I've managed to create a fix for the caller: https://github.com/s3tools/s3cmd/pull/668 Probably this one should be closed. Cool, good to hear that Alexander. :) |
Description of problem: The latest ssl.py file tries to validate hostnames vs certificates but includes a faulty regexp which causes any wildcard domains (e.g. *.s3.amazonaws.com) to fail validation. Version-Release number of selected component (if applicable): python-libs-2.7.5-34.el7.x86_64 How reproducible: Always Steps to Reproduce: 1. I'm using the s3cmd tool which tries to establish an SSL connection to Amazon S3: s3cmd sync -c ./data/s3.cfg -v -m text/css -P /tmp/svplanet/english/html/*.css s3://planet.sofiavalley.com/ however this can be even more easily reproduced. >>> import ssl >>> ssl._dnsname_match("*.s3.amazonaws.com", "planet.sofiavalley.com.s3.amazonaws.com") >>> 2. 3. Actual results: Expected results: <_sre.SRE_Match object at 0x1474030> - the function should match the provided domain and hostname. Additional info: The following patch fixes the issue: # diff -u ssl.py.orig ssl.py --- ssl.py.orig 2015-11-24 14:22:58.490693826 +0200 +++ ssl.py 2015-11-24 14:57:35.777738043 +0200 @@ -214,7 +214,7 @@ if leftmost == '*': # When '*' is a fragment by itself, it matches a non-empty dotless # fragment. - pats.append('[^.]+') + pats.append('^.+') elif leftmost.startswith('xn--') or hostname.startswith('xn--'): # RFC 6125, section 6.4.3, subitem 3. # The client SHOULD NOT attempt to match a presented identifier From Python's documentation: [] Used to indicate a set of characters. In a set: ... Special characters lose their special meaning inside sets. For example, [(+*)] will match any of the literal characters '(', '+', '*', or ')'. ^^^^^^^^^ this is the cause of the error