Skip to content

Strip trailing dot from FQDNs in Host and TLS context#7601

Merged
Dreamsorcerer merged 1 commit intoaio-libs:3.9from
kiwicom:patchback/backports/3.9/d84fcf7c52e7f44b81aae24dc2a7ad2bccc76c9b/pr-7364
Sep 30, 2023
Merged

Strip trailing dot from FQDNs in Host and TLS context#7601
Dreamsorcerer merged 1 commit intoaio-libs:3.9from
kiwicom:patchback/backports/3.9/d84fcf7c52e7f44b81aae24dc2a7ad2bccc76c9b/pr-7364

Conversation

@martin-sucha
Copy link
Copy Markdown
Contributor

@martin-sucha martin-sucha commented Sep 12, 2023

Before this patch, the TLS verification fails with an exception if the client uses a fully-qualified domain name with a trailing dot, like https://github.com./ :

aiohttp.client_exceptions.ClientConnectorCertificateError: Cannot connect to host github.com.:443 ssl:True
[SSLCertVerificationError: (1, "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch,
certificate is not valid for 'github.com.'. (_ssl.c:1051)")]

The reason is that TLS certificates do not contain the trailing dot, as per RFC 6066:

"HostName" contains the fully qualified DNS hostname of the server,
as understood by the client. The hostname is represented as a byte
string using ASCII encoding without a trailing dot.

This change makes aiohttp strip the trailing dot for TLS context and Host header, where trailing dots are not present.
For DNS resolution, we include the trailing dot as it signifies a fully-qualified domain name (FQDN).
DNS lookups of FQDNs are faster as the resolver does not need to check DNS search path, like for relative DNS names.

This effectively allows clients to connect to server if URL has dot at the end of the hostname, e.g. `https://example.com./.

Fixes #3636
PR #7364

Co-authored-by: Sviatoslav Sydorenko [email protected]
(cherry picked from commit d84fcf7)

What do these changes do?

Backport #7364 into 3.9

Are there changes in behavior for the user?

Related issue number

Checklist

  • I think the code is well written
  • Unit tests for the changes exist
  • Documentation reflects the changes
  • If you provide code modification, please add yourself to CONTRIBUTORS.txt
    • The format is <Name> <Surname>.
    • Please keep alphabetical order, the file is sorted by names.
  • Add a new news fragment into the CHANGES folder
    • name it <issue_id>.<type> for example (588.bugfix)
    • if you don't have an issue_id change it to the pr id after creating the pr
    • ensure type is one of the following:
      • .feature: Signifying a new feature.
      • .bugfix: Signifying a bug fix.
      • .doc: Signifying a documentation improvement.
      • .removal: Signifying a deprecation or removal of public API.
      • .misc: A ticket has been closed, but it is not of interest to users.
    • Make sure to use full sentences with correct case and punctuation, for example: "Fix issue with non-ascii contents in doctest text files."

@martin-sucha @webknjaz
Strip trailing dot from FQDNs in Host and TLS context
54971a2 
Before this patch, the TLS verification fails with an exception if
the client uses a fully-qualified domain name with a trailing dot,
like https://github.com./ :
```console
aiohttp.client_exceptions.ClientConnectorCertificateError: Cannot connect to host github.com.:443 ssl:True
[SSLCertVerificationError: (1, "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch,
certificate is not valid for 'github.com.'. (_ssl.c:1051)")]
```
The reason is that TLS certificates do not contain the trailing dot, as
per RFC 6066:

"HostName" contains the fully qualified DNS hostname of the server,
   as understood by the client.  The hostname is represented as a byte
   string using ASCII encoding without a trailing dot.

This change makes aiohttp strip the trailing dot for TLS context and
Host header, where trailing dots are not present.
For DNS resolution, we include the trailing dot as it signifies
a fully-qualified domain name (FQDN).
DNS lookups of FQDNs are faster as the resolver does not need to check
DNS search path, like for relative DNS names.

This effectively allows clients to connect to server if URL has dot at the
end of the hostname, e.g. `https://example.com./.

Fixes aio-libs#3636
PR aio-libs#7364

Co-authored-by: Sviatoslav Sydorenko <[email protected]>
(cherry picked from commit d84fcf7)
@psf-chronographer psf-chronographer bot added the bot:chronographer:provided There is a change note present in this PR label Sep 12, 2023
@martin-sucha martin-sucha mentioned this pull request Sep 12, 2023
Merged
5 tasks
@codecov
Copy link
Copy Markdown

codecov bot commented Sep 12, 2023
edited
Loading

Codecov Report

Merging #7601 (54971a2) into 3.9 (2ac5bbc) will decrease coverage by 0.01%.
Report is 9 commits behind head on 3.9.
The diff coverage is 98.82%.

@@            Coverage Diff             @@
##              3.9    #7601      +/-   ##
==========================================
- Coverage   97.30%   97.30%   -0.01%     
==========================================
  Files         107      107              
  Lines       31679    31715      +36     
  Branches     3669     3684      +15     
==========================================
+ Hits        30824    30859      +35     
  Misses        651      651              
- Partials      204      205       +1
Flag Coverage Δ
CI-GHA 97.22% <88.23%> (-0.03%) ⬇️
OS-Linux 96.90% <88.23%> (-0.03%) ⬇️
OS-Windows 94.40% <77.33%> (-0.06%) ⬇️
OS-macOS 96.54% <75.29%> (-0.07%) ⬇️
Py-3.10.11 94.31% <77.33%> (-0.05%) ⬇️
Py-3.10.12 ?
Py-3.10.13 96.75% <75.29%> (?)
Py-3.11.4 ?
Py-3.11.5 96.46% <77.64%> (?)
Py-3.8.10 94.28% <77.33%> (-0.06%) ⬇️
Py-3.8.17 ?
Py-3.8.18 96.68% <75.29%> (?)
Py-3.9.13 94.29% <77.33%> (-0.06%) ⬇️
Py-3.9.17 ?
Py-3.9.18 96.72% <75.29%> (?)
Py-pypy7.3.11 96.24% <75.29%> (-0.07%) ⬇️
VM-macos 96.54% <75.29%> (-0.07%) ⬇️
VM-ubuntu 96.90% <88.23%> (-0.03%) ⬇️
VM-windows 94.40% <77.33%> (-0.06%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files Changed Coverage Δ
tests/conftest.py 91.50% <ø> (ø)
aiohttp/client_reqrep.py 97.68% <91.66%> (-0.17%) ⬇️
aiohttp/client.py 94.90% <100.00%> (+0.02%) ⬆️
aiohttp/client_ws.py 92.41% <100.00%> (+0.10%) ⬆️
aiohttp/connector.py 92.56% <100.00%> (+0.02%) ⬆️
aiohttp/cookiejar.py 98.83% <100.00%> (ø)
aiohttp/helpers.py 95.12% <100.00%> (+0.01%) ⬆️
aiohttp/web_ws.py 93.12% <100.00%> (+0.06%) ⬆️
tests/test_client_request.py 99.61% <100.00%> (+<0.01%) ⬆️
tests/test_client_response.py 99.12% <100.00%> (-0.03%) ⬇️
... and 4 more

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@Dreamsorcerer Dreamsorcerer merged commit c9e4d02 into aio-libs:3.9 Sep 30, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@webknjaz webknjaz Awaiting requested review from webknjaz

@asvetlov asvetlov Awaiting requested review from asvetlov

Assignees

No one assigned

Labels

bot:chronographer:provided There is a change note present in this PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@martin-sucha @Dreamsorcerer