Bug 1284916

Summary: [PATCH] Latest ssl.py breaks certificate validation for wildcard domains, e.g. *.s3.amazonaws.com
Product: Red Hat Enterprise Linux 7 Reporter: Alexander Todorov <atodorov>
Component: pythonAssignee: Matej Stuchlik <mstuchli>
Status: CLOSED NOTABUG QA Contact: BaseOS QE - Apps <qe-baseos-apps>
Severity: low Docs Contact:
Priority: low    
Version: 7.2CC: cheimes, jberan, lmiksik, mstuchli
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1284930 (view as bug list) Environment:
Last Closed: 2015-11-24 14:50:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1284930    

Description Alexander Todorov 2015-11-24 13:11:23 UTC 
Description of problem:

The latest ssl.py file tries to validate hostnames vs certificates but includes a faulty regexp which causes any wildcard domains (e.g. *.s3.amazonaws.com) to fail validation. 

Version-Release number of selected component (if applicable):
python-libs-2.7.5-34.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. I'm using the s3cmd tool which tries to establish an SSL connection to Amazon S3:

s3cmd sync -c ./data/s3.cfg -v -m text/css -P /tmp/svplanet/english/html/*.css s3://planet.sofiavalley.com/

however this can be even more easily reproduced.

>>> import ssl
>>> ssl._dnsname_match("*.s3.amazonaws.com", "planet.sofiavalley.com.s3.amazonaws.com")
>>> 


2.
3.

Actual results:


Expected results:
<_sre.SRE_Match object at 0x1474030> - the function should match the provided domain and hostname.

Additional info:

The following patch fixes the issue:

# diff -u ssl.py.orig ssl.py
--- ssl.py.orig	2015-11-24 14:22:58.490693826 +0200
+++ ssl.py	2015-11-24 14:57:35.777738043 +0200
@@ -214,7 +214,7 @@
     if leftmost == '*':
         # When '*' is a fragment by itself, it matches a non-empty dotless
         # fragment.
-        pats.append('[^.]+')
+        pats.append('^.+')
     elif leftmost.startswith('xn--') or hostname.startswith('xn--'):
         # RFC 6125, section 6.4.3, subitem 3.
         # The client SHOULD NOT attempt to match a presented identifier


From Python's documentation:

[]

    Used to indicate a set of characters. In a set:

...
        Special characters lose their special meaning inside sets. For example, [(+*)] will match any of the literal characters '(', '+', '*', or ')'.

^^^^^^^^^ this is the cause of the error
Comment 1 Matej Stuchlik 2015-11-24 14:05:36 UTC 
The code is actually correct as is -- see RFC 6125, section 6.4.3, subitem 2:

If the wildcard character is the only character of the left-most
label in the presented identifier, the client SHOULD NOT compare
against anything but the left-most label of the reference
identifier (e.g., *.example.com would match foo.example.com but
not bar.foo.example.com or example.com).

http://tools.ietf.org/html/rfc6125#section-6.4.3
Comment 2 Alexander Todorov 2015-11-24 14:46:29 UTC 
Matej,
indeed you are right, sorry for the false alarm. I've managed to track down the issue further. There's also a change in httplib.py and the calling code wasn't aware of that. I've managed to create a fix for the caller:
https://github.com/s3tools/s3cmd/pull/668

Probably this one should be closed.
Comment 3 Matej Stuchlik 2015-11-24 14:50:31 UTC 
Cool, good to hear that Alexander. :)