consider wildcard in left most segment only

daxlab · daxlab · commit 7a0fe23cd92d · 2017-11-26T16:43:56.000+05:30
diff --git a/Lib/ssl.py b/Lib/ssl.py
@@ -221,7 +221,7 @@ class CertificateError(ValueError):
     pass
 
 
-def _dnsname_match(dn, hostname, max_wildcards=1):
+def _dnsname_match(dn, hostname):
     """Matching according to RFC 6125, section 6.4.3
 
     http://tools.ietf.org/html/rfc6125#section-6.4.3
@@ -233,13 +233,11 @@ def _dnsname_match(dn, hostname, max_wildcards=1):
     leftmost, *remainder = dn.split(r'.')
 
     wildcards = leftmost.count('*')
-    if wildcards > max_wildcards:
-        # Issue #17980: avoid denials of service by refusing more
-        # than one wildcard per fragment.  A survey of established
-        # policy among SSL implementations showed it to be a
-        # reasonable choice.
+    if wildcards == 1 and len(leftmost) > 1:
+        """ Only match wildcard in leftmost segment.
+        """
         raise CertificateError(
-            "too many wildcards in certificate DNS name: " + repr(dn))
+            "wildcard can only be present in left most segment: " + repr(dn))
 
     # speed up common case w/o wildcards
     if not wildcards:
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
@@ -512,10 +512,10 @@ def fail(cert, hostname):
         fail(cert, 'Xa.com')
         fail(cert, '.a.com')
 
-        # only match one left-most wildcard
+        # only match wildcard in left-most segment
         cert = {'subject': ((('commonName', 'f*.com'),),)}
-        ok(cert, 'foo.com')
-        ok(cert, 'f.com')
+        fail(cert, 'foo.com')
+        fail(cert, 'f.com')
         fail(cert, 'bar.com')
         fail(cert, 'foo.a.com')
         fail(cert, 'bar.foo.com')
@@ -637,7 +637,7 @@ def fail(cert, hostname):
         # Issue #17980: avoid denials of service by refusing more than one
         # wildcard per fragment.
         cert = {'subject': ((('commonName', 'a*b.com'),),)}
-        ok(cert, 'axxb.com')
+        fail(cert, 'axxb.com')
         cert = {'subject': ((('commonName', 'a*b.co*'),),)}
         fail(cert, 'axxb.com')
         cert = {'subject': ((('commonName', 'a*b*.com'),),)}
