CVE-2013-7440: ssl.match_hostname() IDNA issue

ssl.match_hostname(): sub string wildcard should not match IDNA prefix.

Change behavior of ssl.match_hostname() to follow RFC 6125, for security reasons. It now doesn’t match multiple wildcards nor wildcards inside IDN fragments.

  • Disclosure date: 2013-05-17 (Python issue #17997 reported)

Fixed In

Python issue

ssl.match_hostname(): sub string wildcard should not match IDNA prefix.

  • Python issue: issue #17997
  • Creation date: 2013-05-17
  • Reporter: Christian Heimes

CVE-2013-7440

The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.

Timeline

Timeline using the disclosure date 2013-05-17 as reference:

  • 2013-05-17: Python issue #17997 reported by Christian Heimes
  • 2013-10-27 (+163 days): commit 72c98d3
  • 2013-11-17 (+184 days): Python 3.3.3 released
  • 2014-03-16: Python 3.4.0 released
  • 2016-06-07 (+1117 days): CVE-2013-7440 published