Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IDN + HTTPS = ssl.CertificateError #1685

Closed
tdivis opened this issue Feb 26, 2017 · 5 comments
Closed

IDN + HTTPS = ssl.CertificateError #1685

tdivis opened this issue Feb 26, 2017 · 5 comments
Labels
outdated

Comments

@tdivis
Copy link

tdivis commented Feb 26, 2017

I'm trying to fetch a site with IDN domain name on HTTPS, but it end up with CertificateError, because match_hostname is trying to find decoded hostname instead of punycode hostname in the CN's of the certificate, example:

import aiohttp, asyncio
loop = asyncio.get_event_loop()
loop.run_until_complete(aiohttp.ClientSession().get('https://www.xn--hkyrky-ptac70bc.cz'))

which end up with:

Traceback (most recent call last):
  File "/usr/lib64/python3.5/asyncio/events.py", line 125, in _run
    self._callback(*self._args)
  File "/usr/lib64/python3.5/asyncio/selector_events.py", line 676, in _read_ready
    self._protocol.data_received(data)
  File "/usr/lib64/python3.5/asyncio/sslproto.py", line 492, in data_received
    ssldata, appdata = self._sslpipe.feed_ssldata(data)
  File "/usr/lib64/python3.5/asyncio/sslproto.py", line 200, in feed_ssldata
    self._sslobj.do_handshake()
  File "/usr/lib64/python3.5/ssl.py", line 638, in do_handshake
    match_hostname(self.getpeercert(), self.server_hostname)
  File "/usr/lib64/python3.5/ssl.py", line 297, in match_hostname
    % (hostname, ', '.join(map(repr, dnsnames))))
ssl.CertificateError: hostname 'www.háčkyčárky.cz' doesn't match either of 'dns-ok.cz', 'dnssec.cz', 'ietf80.cz', 'ietf93.cz', 'kasuar.cz', 'napul.cz', 'old.dobradomena.cz', 'www.dns-ok.cz', 'www.dnssec.cz', 'www.ietf80.cz', 'www.ietf93.cz', 'www.kasuar.cz', 'www.napul.cz', 'www.xn--hkyrky-ptac70bc.cz', 'xn--hkyrky-ptac70bc.cz'

I guess this is similar issue as #1444.

Can reproduce it on both master and 1.2.0 with Python 3.5.2.
@fafhrd91
Copy link
Member

I think this is python's ssl module bug

@tdivis
Copy link
Author

tdivis commented Feb 28, 2017

Not sure, but for example python-requests works fine with IDN+HTTPS.

@fafhrd91
Copy link
Member

I found a problem

fafhrd91 added a commit that referenced this issue Mar 14, 2017
@fafhrd91
use raw_host for name resolution #1685
1847e6b
@fafhrd91
Copy link
Member

will release 1.3.4 soon

@lock
Copy link

lock bot commented Oct 28, 2019

This thread has been automatically locked since there has not been
any recent activity after it was closed. Please open a new issue for
related bugs.

If you feel like there's important points made in this discussion,
please include those exceprts into that new issue.

@lock lock bot added the outdated label Oct 28, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Oct 28, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
outdated
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fafhrd91 @tdivis