[UA-discuss] OpenSSL, was Where should IDN translation happen?

[John Levine]

In article <8ac39f55-d9ae-7c8a-f50c-4535e0428263 at casadevall.pro> you write:
>This leads library makers and applications to handle IDNs manually,
>which in the case of Python, if they made a mistake can lead to the
>above error, namely blowing up Python.

It's actually worse than that.  Python's built-in IDNA support is
IDNA2003 which, as we saw in a recent thread, can give some fairly
wrong results.  There is a correct idna library which is a drop-in
replacement but I doubt many programmers know the difference.

>In the above case, had OpenSSL supported IDNs directly, it would have
>prevented this bug in the first place. That being said, since TLS
>essentially only uses A-labels as far as I can tell, I can’t necessarily
>say it’s wrong that OpenSSL doesn’t support IDNs.

RFCs 8398 and 8399 allow EAI mail addresses as Alternative Names and
suggest pretty strongly that even though the domains in certs are
A-labels, libraries should handle U-labels and convert where needed.
Since they have to handle U-labels in the EAI addresses, the domains
aren't a lot of extra work.

I presume that at some point OpenSSL will catch up with those RFCs but
I don't know what the schedule is.

R's,
John