ssl.match_hostname() IDNA issue


This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.

ssl.match_hostname(): sub string wildcard should not match IDNA prefix.

Change behavior of ssl.match_hostname() to follow RFC 6125, for security reasons. It now doesn’t match multiple wildcards nor wildcards inside IDN fragments. Note that this function was only added to Python 2.7 in a backport to 2.7.9, and was added in its fixed form, so no releases of Python 2.7 have this vulnerability.


  • Disclosure date: 2013-05-17 (Python issue bpo-17997 reported)

Fixed In

Python issue

ssl.match_hostname(): sub string wildcard should not match IDNA prefix.

  • Python issue: bpo-17997
  • Creation date: 2013-05-17
  • Reporter: Christian Heimes


The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.


Timeline using the disclosure date 2013-05-17 as reference:

  • 2013-05-17: Python issue bpo-17997 reported by Christian Heimes
  • 2013-10-27 (+163 days): commit 72c98d3 (branch 3.3)
  • 2013-11-17 (+184 days): Python 3.3.3 released
  • 2014-03-16: Python 3.4.0 released
  • 2016-06-07 (+1117 days): CVE-2013-7440 published