Commit aef1283b authored by Christian Heimes's avatar Christian Heimes Committed by GitHub

bpo-32819: Simplify and improve ssl.match_hostname (#5620)

ssl.match_hostname() has been simplified and no longer depends on re and
ipaddress module for wildcard and IP addresses. Error reporting for invalid
wildcards has been improved.
Signed-off-by: default avatarChristian Heimes <>
parent c29c03a3
import ipaddress
import re
import sys
import os
from collections import namedtuple
......@@ -160,6 +158,7 @@ if sys.platform == "win32":
from socket import socket, AF_INET, SOCK_STREAM, create_connection
from socket import SOL_SOCKET, SO_TYPE
import socket as _socket
import base64 # for DER-to-PEM translation
import errno
import warnings
......@@ -183,55 +182,75 @@ CertificateError = SSLCertVerificationError
def _dnsname_match(dn, hostname):
"""Matching according to RFC 6125, section 6.4.3
- Hostnames are compared lower case.
- For IDNA, both dn and hostname must be encoded as IDN A-label (ACE).
- Partial wildcards like 'www*', multiple wildcards, sole
wildcard or wildcards in labels other then the left-most label are not
supported and a CertificateError is raised.
- A wildcard must match at least one character.
pats = []
if not dn:
return False
leftmost, *remainder = dn.split(r'.')
wildcards = dn.count('*')
# speed up common case w/o wildcards
if not wildcards:
return dn.lower() == hostname.lower()
if wildcards > 1:
raise CertificateError(
"too many wildcards in certificate DNS name: {!r}.".format(dn))
wildcards = leftmost.count('*')
if wildcards == 1 and len(leftmost) > 1:
dn_leftmost, sep, dn_remainder = dn.partition('.')
if '*' in dn_remainder:
# Only match wildcard in leftmost segment.
raise CertificateError(
"wildcard can only be present in the leftmost segment: " + repr(dn))
"wildcard can only be present in the leftmost label: "
if wildcards > 1:
# Issue #17980: avoid denials of service by refusing more
# than one wildcard per fragment. A survey of established
# policy among SSL implementations showed it to be a
# reasonable choice.
if not sep:
# no right side
raise CertificateError(
"too many wildcards in certificate DNS name: " + repr(dn))
"sole wildcard without additional labels are not support: "
# speed up common case w/o wildcards
if not wildcards:
return dn.lower() == hostname.lower()
if dn_leftmost != '*':
# no partial wildcard matching
raise CertificateError(
"partial wildcards in leftmost label are not supported: "
# RFC 6125, section 6.4.3, subitem 1.
# The client SHOULD NOT attempt to match a presented identifier in which
# the wildcard character comprises a label other than the left-most label.
if leftmost == '*':
# When '*' is a fragment by itself, it matches a non-empty dotless
# fragment.
elif leftmost.startswith('xn--') or hostname.startswith('xn--'):
# RFC 6125, section 6.4.3, subitem 3.
# The client SHOULD NOT attempt to match a presented identifier
# where the wildcard character is embedded within an A-label or
# U-label of an internationalized domain name.
# Otherwise, '*' matches any dotless string, e.g. www*
pats.append(re.escape(leftmost).replace(r'\*', '[^.]*'))
hostname_leftmost, sep, hostname_remainder = hostname.partition('.')
if not hostname_leftmost or not sep:
# wildcard must match at least one char
return False
return dn_remainder.lower() == hostname_remainder.lower()
# add the remaining fragments, ignore any wildcards
for frag in remainder:
pat = re.compile(r'\A' + r'\.'.join(pats) + r'\Z', re.IGNORECASE)
return pat.match(hostname)
def _inet_paton(ipname):
"""Try to convert an IP address to packed binary form
Supports IPv4 addresses on all platforms and IPv6 on platforms with IPv6
# inet_aton() also accepts strings like '1'
if ipname.count('.') == 3:
return _socket.inet_aton(ipname)
except OSError:
return _socket.inet_pton(_socket.AF_INET6, ipname)
except OSError:
raise ValueError("{!r} is neither an IPv4 nor an IP6 "
except AttributeError:
# AF_INET6 not available
raise ValueError("{!r} is not an IPv4 address.".format(ipname))
def _ipaddress_match(ipname, host_ip):
......@@ -241,14 +260,19 @@ def _ipaddress_match(ipname, host_ip):
(section 1.7.2 - "Out of Scope").
# OpenSSL may add a trailing newline to a subjectAltName's IP address
ip = ipaddress.ip_address(ipname.rstrip())
ip = _inet_paton(ipname.rstrip())
return ip == host_ip
def match_hostname(cert, hostname):
"""Verify that *cert* (in decoded format as returned by
SSLSocket.getpeercert()) matches the *hostname*. RFC 2818 and RFC 6125
rules are followed, but IP addresses are not accepted for *hostname*.
rules are followed.
The function matches IP addresses rather than dNSNames if hostname is a
valid ipaddress string. IPv4 addresses are supported on all platforms.
IPv6 addresses are supported on platforms with IPv6 support (AF_INET6
and inet_pton).
CertificateError is raised on failure. On success, the function
returns nothing.
......@@ -258,7 +282,7 @@ def match_hostname(cert, hostname):
"SSL socket or SSL context with either "
host_ip = ipaddress.ip_address(hostname)
host_ip = _inet_paton(hostname)
except ValueError:
# Not an IP address (common case)
host_ip = None
......@@ -622,8 +622,10 @@ class BasicSocketTests(unittest.TestCase):
fail(cert, '')
# -- IPv6 matching --
if hasattr(socket, 'AF_INET6'):
cert = {'subject': ((('commonName', ''),),),
'subjectAltName': (('DNS', ''),
'subjectAltName': (
('DNS', ''),
('IP Address', '2001:0:0:0:0:0:0:CAFE\n'),
('IP Address', '2003:0:0:0:0:0:0:BABA\n'))}
ok(cert, '2001::cafe')
......@@ -665,14 +667,45 @@ class BasicSocketTests(unittest.TestCase):
# Issue #17980: avoid denials of service by refusing more than one
# wildcard per fragment.
cert = {'subject': ((('commonName', 'a*'),),)}
fail(cert, '')
cert = {'subject': ((('commonName', 'a**'),),)}
fail(cert, '')
cert = {'subject': ((('commonName', 'a*b*.com'),),)}
with self.assertRaises(ssl.CertificateError) as cm:
ssl.match_hostname(cert, '')
self.assertIn("too many wildcards", str(cm.exception))
cert = {'subject': ((('commonName', 'a*'),),)}
with self.assertRaisesRegex(
"partial wildcards in leftmost label are not supported"):
ssl.match_hostname(cert, '')
cert = {'subject': ((('commonName', 'www.*'),),)}
with self.assertRaisesRegex(
"wildcard can only be present in the leftmost label"):
ssl.match_hostname(cert, '')
cert = {'subject': ((('commonName', 'a*b*'),),)}
with self.assertRaisesRegex(
"too many wildcards"):
ssl.match_hostname(cert, '')
cert = {'subject': ((('commonName', '*'),),)}
with self.assertRaisesRegex(
"sole wildcard without additional labels are not support"):
ssl.match_hostname(cert, 'host')
cert = {'subject': ((('commonName', '*.com'),),)}
with self.assertRaisesRegex(
r"hostname 'com' doesn't match '\*.com'"):
ssl.match_hostname(cert, 'com')
# extra checks for _inet_paton()
for invalid in ['1', '', '1.2.3', '', '']:
with self.assertRaises(ValueError):
for ipaddr in ['', '']:
if hasattr(socket, 'AF_INET6'):
for ipaddr in ['::1', '2001:db8:85a3::8a2e:370:7334']:
def test_server_side(self):
# server_hostname doesn't work for server sockets
ssl.match_hostname() has been simplified and no longer depends on re and
ipaddress module for wildcard and IP addresses. Error reporting for invalid
wildcards has been improved.
Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment