Python 3.6和Requests Module是否符合RFC 6125的通配符引用标识符?

[英]Do Python 3.6 and Requests Module conform to RFC 6125 for wildcard reference identifiers?


I am trying to ascertain whether Python's request module conforms to RFC 6125 or not.

我试图确定Python的请求模块是否符合RFC 6125。

I created a Root CA Certificate and added it to my Linux's Trust Store. I then created a Server certificate and signed it with my Root CA Certificate and put the common name as "*.com". Then I started a server using OpenSSL's s_server using the Server Certificate.

我创建了一个根CA证书并将其添加到我的Linux的Trust Store中。然后,我创建了一个服务器证书,并使用我的根CA证书对其进行了签名,并将公用名称设置为“* .com”。然后我使用服务器证书使用OpenSSL的s_server启动了一个服务器。

Now as per RFC 6125 and this question, my python client should not establish a TLS connection if i try to connect with "foo.com". However, the Python client does not fail here and establishes a connection. I am executing this command in the terminal:

现在根据RFC 6125和这个问题,如果我尝试连接“foo.com”,我的python客户端不应该建立TLS连接。但是,Python客户端不会在此处失败并建立连接。我在终端中执行此命令:

python -c "import requests; print(requests.get('https://foo.com', verify='/etc/ssl/certs/ca-certificates.crt'));"

But, if i try to connect with "bar.foo.com", i get the expected error:

但是,如果我尝试连接“bar.foo.com”,我会得到预期的错误:

requests.exceptions.SSLError: HTTPSConnectionPool(host='bar.foo.com', port=443): Max retries exceeded with url: / (Caused by SSLError(CertificateError("hostname 'bar.foo.com' doesn't match '*.com'",),))

requests.exceptions.SSLError:HTTPSConnectionPool(host ='bar.foo.com',port = 443):使用url超出最大重试次数:/(由SSLError引起(CertificateError(“hostname'sbar.foo.com”不匹配) '* .COM'”)))

In my opinion, this is a very trivial thing that should not happen.

在我看来,这是一个不应该发生的非常微不足道的事情。

So is there something wrong in my approach or does the Requests Module actually not fail in this scenario?

那么我的方法有什么问题,或者请求模块在这种情况下实际上没有失败吗?

Looking forward to your help guys!

期待你的帮助!

Thanks!

1 个解决方案

#1


3  

The problem was already reported in issue 29824. But, it was considered as 'wont fix':

问题已在问题29824中报告。但是,它被认为是“不会修复”:

Matching wildcard in public suffix
...
Yes, it would be beneficial to have more elaborate checks to protect against wildcard attacks like *.com. However Python is not a browser. It's really hard to do it right and even harder to keep the rule set up to date. Some TLDs like .uk have sublevel namespaces, e.g. co.uk. *.co.uk is also invalid.

在公共后缀中匹配通配符...是的,进行更精细的检查以防止像* .com这样的通配符攻击将是有益的。但是Python不是浏览器。要做到这一点真的很难,甚至更难保持规则设置。像.uk这样的一些TLD具有子级命名空间,例如co.uk. * .co.uk也无效。

Apart from that newer versions of Python simply use the functionality of OpenSSL to check the hostname:

除了较新版本的Python之外,只需使用OpenSSL的功能来检查主机名:

The problem is going to shift anyway. For Python 3.7 I'm going to deprecate support for OpenSSL < 1.0.2 and use OpenSSL's hostname verification code instead of ssl.match_hostname().

无论如何,问题仍将转移。对于Python 3.7,我将弃用对OpenSSL <1.0.2的支持,并使用OpenSSL的主机名验证代码而不是ssl.match_hostname()。

Only, that OpenSSL does not care about public suffix either.

只是,OpenSSL也不关心公共后缀。

I personally don't bye the argument that this is too hard too do in the first place and it is hard to keep up-to-date. There is a publicly managed list of such public suffixes at publicsuffix.org and the syntax is not hard to parse so that one can also find several implementations in Python for dealing with the list.

我个人并不认为这一点太难了,而且很难保持最新状态。 publicsuffix.org上有一个公开管理的公共后缀列表,并且语法不难解析,因此人们也可以在Python中找到几个用于处理列表的实现。

智能推荐

注意!

本站翻译的文章,版权归属于本站,未经许可禁止转摘,转摘请注明本文地址:http://www.itdaan.com/blog/2018/02/27/7dee7e63844a2cd9e0d9ea4e811378e5.html



 
© 2014-2019 ITdaan.com 粤ICP备14056181号  

赞助商广告