Python 3.6和Requests Module是否符合RFC 6125的通配符引用标识符?

[英]Do Python 3.6 and Requests Module conform to RFC 6125 for wildcard reference identifiers?

I am trying to ascertain whether Python's request module conforms to RFC 6125 or not.

我试图确定Python的请求模块是否符合RFC 6125。

I created a Root CA Certificate and added it to my Linux's Trust Store. I then created a Server certificate and signed it with my Root CA Certificate and put the common name as "*.com". Then I started a server using OpenSSL's s_server using the Server Certificate.

我创建了一个根CA证书并将其添加到我的Linux的Trust Store中。然后,我创建了一个服务器证书,并使用我的根CA证书对其进行了签名,并将公用名称设置为“* .com”。然后我使用服务器证书使用OpenSSL的s_server启动了一个服务器。

Now as per RFC 6125 and this question, my python client should not establish a TLS connection if i try to connect with "". However, the Python client does not fail here and establishes a connection. I am executing this command in the terminal:

现在根据RFC 6125和这个问题,如果我尝试连接“”,我的python客户端不应该建立TLS连接。但是,Python客户端不会在此处失败并建立连接。我在终端中执行此命令:

python -c "import requests; print(requests.get('', verify='/etc/ssl/certs/ca-certificates.crt'));"

But, if i try to connect with "", i get the expected error:


requests.exceptions.SSLError: HTTPSConnectionPool(host='', port=443): Max retries exceeded with url: / (Caused by SSLError(CertificateError("hostname '' doesn't match '*.com'",),))

requests.exceptions.SSLError:HTTPSConnectionPool(host ='',port = 443):使用url超出最大重试次数:/(由SSLError引起(CertificateError(“hostname'”不匹配) '* .COM'”)))

In my opinion, this is a very trivial thing that should not happen.


So is there something wrong in my approach or does the Requests Module actually not fail in this scenario?


Looking forward to your help guys!



1 个解决方案



The problem was already reported in issue 29824. But, it was considered as 'wont fix':


Matching wildcard in public suffix
Yes, it would be beneficial to have more elaborate checks to protect against wildcard attacks like *.com. However Python is not a browser. It's really hard to do it right and even harder to keep the rule set up to date. Some TLDs like .uk have sublevel namespaces, e.g. * is also invalid.

在公共后缀中匹配通配符...是的,进行更精细的检查以防止像* .com这样的通配符攻击将是有益的。但是Python不是浏览器。要做到这一点真的很难,甚至更难保持规则设置。像.uk这样的一些TLD具有子级命名空间,例如 * .co.uk也无效。

Apart from that newer versions of Python simply use the functionality of OpenSSL to check the hostname:


The problem is going to shift anyway. For Python 3.7 I'm going to deprecate support for OpenSSL < 1.0.2 and use OpenSSL's hostname verification code instead of ssl.match_hostname().

无论如何,问题仍将转移。对于Python 3.7,我将弃用对OpenSSL <1.0.2的支持,并使用OpenSSL的主机名验证代码而不是ssl.match_hostname()。

Only, that OpenSSL does not care about public suffix either.


I personally don't bye the argument that this is too hard too do in the first place and it is hard to keep up-to-date. There is a publicly managed list of such public suffixes at and the syntax is not hard to parse so that one can also find several implementations in Python for dealing with the list.

我个人并不认为这一点太难了,而且很难保持最新状态。 publicsuffix.org上有一个公开管理的公共后缀列表,并且语法不难解析,因此人们也可以在Python中找到几个用于处理列表的实现。



粤ICP备14056181号  © 2014-2021