Skip to content

Commit

Permalink
Strip trailing dot from FQDNs in Host and TLS
Browse files Browse the repository at this point in the history
The TLS verification fails with an exception if the client uses
a fully-qualified domain name with a trailing dot,
like https://github.com./ :

aiohttp.client_exceptions.ClientConnectorCertificateError:
Cannot connect to host github.com.:443 ssl:True
[SSLCertVerificationError: (1, "[SSL: CERTIFICATE_VERIFY_FAILED]
certificate verify failed: Hostname mismatch,
certificate is not valid for 'github.com.'. (_ssl.c:1051)")]

The reason is that TLS certificates do not contain the trailing dot,
as per RFC 6066:

"HostName" contains the fully qualified DNS hostname of the server,
   as understood by the client.  The hostname is represented as a byte
   string using ASCII encoding without a trailing dot.

We need to strip the trailing dot for TLS context and Host header,
where trailing dots are not present.
For DNS resolution, we need to include the trailing dot as it signifies
a fully-qualified domain name (FQDN).
DNS lookups of FQDNs are faster as the resolver does not need to check
DNS search path, like for relative DNS names.

Closes aio-libs#3636
  • Loading branch information
martin-sucha committed Jul 12, 2023
1 parent 7911f1e commit 1bf3c4a
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 1 deletion.
3 changes: 3 additions & 0 deletions aiohttp/client_reqrep.py
Original file line number Diff line number Diff line change
Expand Up @@ -340,6 +340,9 @@ def update_headers(self, headers: Optional[LooseHeaders]) -> None:
netloc = cast(str, self.url.raw_host)
if helpers.is_ipv6_address(netloc):
netloc = f"[{netloc}]"
elif netloc.endswith(":"):
# Strip trailing dot. See https://github.com/aio-libs/aiohttp/issues/3636.
netloc = netloc[:-1]
if self.url.port is not None and not self.url.is_default_port():
netloc += ":" + str(self.url.port)
self.headers[hdrs.HOST] = netloc
Expand Down
9 changes: 8 additions & 1 deletion aiohttp/connector.py
Original file line number Diff line number Diff line change
Expand Up @@ -1117,6 +1117,13 @@ def drop_exception(fut: "asyncio.Future[List[Dict[str, Any]]]") -> None:
port = hinfo["port"]

try:
server_hostname = None
if sslcontext:
server_hostname = hinfo["hostname"]
if server_hostname.endswith("."):
# Strip trailing dot, certificates contain FQDN without dot.
# See https://github.com/aio-libs/aiohttp/issues/3636
server_hostname = server_hostname[:-1]
transp, proto = await self._wrap_create_connection(
self._factory,
host,
Expand All @@ -1126,7 +1133,7 @@ def drop_exception(fut: "asyncio.Future[List[Dict[str, Any]]]") -> None:
family=hinfo["family"],
proto=hinfo["proto"],
flags=hinfo["flags"],
server_hostname=hinfo["hostname"] if sslcontext else None,
server_hostname=server_hostname,
local_addr=self._local_addr,
req=req,
client_error=client_error,
Expand Down

0 comments on commit 1bf3c4a

Please sign in to comment.