Dear Michael, On Tue, Nov 13, 2018 at 10:24 PM Michael Casadevall <michael@casadevall.pro> wrote:
So, here is a question for the list: Where in the stack should IDN/EAI translation happen? Should it happen in the user application, or lower in the stack such as the core libraries that handle things like TLS connections?
...
This leads library makers and applications to handle IDNs manually, which in the case of Python, if they made a mistake can lead to the above error, namely blowing up Python. Now, in practice, OpenSSL not directly supporting IDNs seems to have relatively little effect on its own. After taking a very deep dive through the RFCs, it appears that in all relevant places, everything relating to web TLS certificates takes EAI5Address encoding and thus requires punycode representation. However, as I’ve just shown, there are obviously places where things have fallen through the cracks and I think it warrants a deeper investigation.
I think that error in IDN processing in OpenSSL itself can cause a lot of bad consequences being worse than errors in any application using OpenSSL. So I understand the position of OpenSSL Team when they do not want to implement such support here.
The thing is though, and just to reiterate the question, just where in the stack should IDN translation happen?
In the above case, had OpenSSL supported IDNs directly, it would have prevented this bug in the first place. That being said, since TLS essentially only uses A-labels as far as I can tell, I can’t necessarily say it’s wrong that OpenSSL doesn’t support IDNs. I think, though, this is an area which, in general, that needs more attention, especially if I can break a popular programming language with a trivial example.
Thoughts and comments welcome, Michael
* - there is one special case for wildcards
In my (rather limited) practice I usually use A-labels for internal representation and U-labels (or both) for external. Script languages, such as Python, Perl, PHP etc usually provide wrappers for IDN converters so it's much simpler to do this conversion outside in applications. -- SY, Dmitry Belyavsky