-
-
Notifications
You must be signed in to change notification settings - Fork 2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Strip trailing dot from FQDNs in Host and TLS
The TLS verification fails with an exception if the client uses a fully-qualified domain name with a trailing dot, like https://github.com./ : aiohttp.client_exceptions.ClientConnectorCertificateError: Cannot connect to host github.com.:443 ssl:True [SSLCertVerificationError: (1, "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'github.com.'. (_ssl.c:1051)")] The reason is that TLS certificates do not contain the trailing dot, as per RFC 6066: "HostName" contains the fully qualified DNS hostname of the server, as understood by the client. The hostname is represented as a byte string using ASCII encoding without a trailing dot. We need to strip the trailing dot for TLS context and Host header, where trailing dots are not present. For DNS resolution, we need to include the trailing dot as it signifies a fully-qualified domain name (FQDN). DNS lookups of FQDNs are faster as the resolver does not need to check DNS search path, like for relative DNS names. Closes #3636
- Loading branch information
1 parent
7911f1e
commit 5f3ca35
Showing
4 changed files
with
14 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
Strip trailing dot in Host header and TLS context from fully-qualified domain names. | ||
This allows the client to connect to URLs with FQDN hostname like `https://example.com./` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters