Title: [bpo-28414] In SSL module, store server_hostname as an A-label by njsmith · Pull Request #3010 · python/cpython · GitHub
Open Graph Title: [bpo-28414] In SSL module, store server_hostname as an A-label by njsmith · Pull Request #3010 · python/cpython
X Title: [bpo-28414] In SSL module, store server_hostname as an A-label by njsmith · Pull Request #3010 · python/cpython
Description: Historically, our handling of international domain names (IDNs) in the ssl module has been very broken. The flow went like: User passes server_hostname= to the SSLSocket/SSLObject constructor. This gets normalized to an A-label by using the PyArg_Parse "et" mode: bytes objects get passed through unchanged (assumed to already be A-labels); str objects get run through .encode("idna") to convert them into A-labels. newPySSLSocket takes this A-label, and for some reason decodes it back to a U-label, and stores that as the object's server_hostname attribute. Later, this U-label server_hostname attribute gets passed to match_hostname, to compare against the hostname seen in the certificate. But certificates contain A-labels, and match_hostname expects to be passed an A-label, so this doesn't work at all. This PR fixes the problem by removing the pointless decoding at step 2, so that internally we always use A-labels, which matches how internet protocols are designed in general: A-labels are used everywhere internally and on-the-wire, and U-labels are basically just for user interfaces. This also matches the general advice to handle encoding/decoding once at the edges, though for backwards-compatibility we continue to use 'str' objects to store A-labels, even though they're now always ASCII. Technically there is a minor compatibility break here: if a user examines the .server_hostname attribute of an ssl-wrapped socket, then previously they would have seen a U-label like "pythön.org", and now they'll see an A-label like "xn--pythn-mua.org". But this only affects non-ASCII domain names, which have never worked in the first place, so it seems unlikely that anyone is relying on the old behavior. This PR also adds an end-to-end test for IDN hostname validation. Previously there were no tests for this functionality. Fixes bpo-28414. https://bugs.python.org/issue28414
Open Graph Description: Historically, our handling of international domain names (IDNs) in the ssl module has been very broken. The flow went like: User passes server_hostname= to the SSLSocket/SSLObject constructor. Th...
X Description: Historically, our handling of international domain names (IDNs) in the ssl module has been very broken. The flow went like: User passes server_hostname= to the SSLSocket/SSLObject constructor. Th...
Opengraph URL: https://github.com/python/cpython/pull/3010
X: @github
Domain: github.com
| route-pattern | /:user_id/:repository/pull/:id/files(.:format) |
| route-controller | pull_requests |
| route-action | files |
| fetch-nonce | v2:e1190913-cd1a-743e-595f-01d14b31df71 |
| current-catalog-service-hash | ae870bc5e265a340912cde392f23dad3671a0a881730ffdadd82f2f57d81641b |
| request-id | CC86:228A12:1D43653:2954139:6A4CCF95 |
| html-safe-nonce | 7252ab6b3bd5c5d206250a21127a6e44e6030877a9bc41be4f06a8c943c707d8 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJDQzg2OjIyOEExMjoxRDQzNjUzOjI5NTQxMzk6NkE0Q0NGOTUiLCJ2aXNpdG9yX2lkIjoiMTA5OTk5NzQ1MDQ5MDEzODUxNyIsInJlZ2lvbl9lZGdlIjoiaWFkIiwicmVnaW9uX3JlbmRlciI6ImlhZCJ9 |
| visitor-hmac | 7cd4d6e08bd2e82b0c6c461b72ea7e8c370442b20869d9627edc38fb2f61d4a2 |
| hovercard-subject-tag | pull_request:134341919 |
| github-keyboard-shortcuts | repository,pull-request-list,pull-request-conversation,pull-request-files-changed,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/python/cpython/pull/3010/files |
| twitter:image | https://avatars.githubusercontent.com/u/609896?s=400&v=4 |
| twitter:card | summary_large_image |
| og:image | https://avatars.githubusercontent.com/u/609896?s=400&v=4 |
| og:image:alt | Historically, our handling of international domain names (IDNs) in the ssl module has been very broken. The flow went like: User passes server_hostname= to the SSLSocket/SSLObject constructor. Th... |
| og:site_name | GitHub |
| og:type | object |
| hostname | github.com |
| expected-hostname | github.com |
| None | ee8a9d18044a05fe2d57b9ae797da38c8be34effb03f015f7c42e94770d28a1b |
| turbo-cache-control | no-preview |
| diff-view | unified |
| go-import | github.com/python/cpython git https://github.com/python/cpython.git |
| octolytics-dimension-user_id | 1525981 |
| octolytics-dimension-user_login | python |
| octolytics-dimension-repository_id | 81598961 |
| octolytics-dimension-repository_nwo | python/cpython |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 81598961 |
| octolytics-dimension-repository_network_root_nwo | python/cpython |
| turbo-body-classes | logged-out env-production page-responsive full-width |
| disable-turbo | true |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | f84814acc6f036583fd43463f5847a846243d2a4 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width