Hello, I would like to ask a few questions and suggestions regarding the ssl module (in Python 2.6). (I gather from [1] that there is some effort going on to enhance the ssl API, but I'm not sure if this is the right place to discuss it.) Like other Python users, I was a bit surprised by the lack of verification of httplib/urllib2 (hence I started to write a small library a while back, only published today [2]), but the following points are not HTTP-specific. 1. Hostname checking. From what I gather by reading the archives on this list, the issue of hostname checking seems controversial [3]. It seems widely admitted by browser communities nowadays to check that the hostname the CN field of the subject DN or the DNS entries of subjectAltName. I'd feel more comfortable if this was the default behaviour of the client in Python's SSL module, although having a mechanism to override this would be useful indeed. It's more or less a basic security requirement to check the identity of the server before doing anything else. 2. Cipher suite selection. It's useful to restrict the list of cipher suites that can be used, not just for speed (as mentioned in [1]), but also because some cipher suites may be considered insecure by some institutions. This would be a good feature to have indeed. 3. Full chain of certificates. The PyOpenSSL module is able to take a callback function that verifies each certificate in the chain (using depth). According to the documentation, the ssl module only exposes the first certificate in the chain (no CA). In some applications, it is useful to verify certain policies according to attributes further up in the chain. I'd like to suggest having an "SSLSocket.getpeercerts(binary_form=False)" (plural) that returns a list of certificates in the verification chain. Is there a place where the status of the ssl module is summarized, or a better place to discuss this? I could try to provide contributions or further details if appropriate. Best wishes, Bruno. [1] http://mail.python.org/pipermail/python-dev/2009-September/091636.html [2] http://code.google.com/p/python-httpclient [2] http://bugs.python.org/issue1589
Bruno Harbulot <Bruno.Harbulot@manchester.ac.uk> wrote:
Hello,
I would like to ask a few questions and suggestions regarding the ssl module (in Python 2.6). (I gather from [1] that there is some effort going on to enhance the ssl API, but I'm not sure if this is the right place to discuss it.)
Is there a place where the status of the ssl module is summarized, or a better place to discuss this? I could try to provide contributions or further details if appropriate.
Yes, please look at the issues in the issue tracker already, and contribute there. We could particularly use more test cases to support patches that people have already submitted.
Like other Python users, I was a bit surprised by the lack of verification of httplib/urllib2 (hence I started to write a small library a while back, only published today [2]), but the following points are not HTTP-specific.
1. Hostname checking.
From what I gather by reading the archives on this list, the issue of hostname checking seems controversial [3]. It seems widely admitted by browser communities nowadays to check that the hostname the CN field of the subject DN or the DNS entries of subjectAltName. I'd feel more comfortable if this was the default behaviour of the client in Python's SSL module, although having a mechanism to override this would be useful indeed. It's more or less a basic security requirement to check the identity of the server before doing anything else.
I don't think it should happen by default in the ssl module client code, but I agree it makes sense to do that in various application uses of SSL, such as the httplib support for https, since that behavior is (annoyingly) called for in the (experimental, not standard) RFC which defines HTTP over SSL, and, as you say, it's widely done in Web browsers when https is being used. If you check the issues, you'll see that I think there should be a helper function in the ssl module to do this checking. Would you like to contribute one? Please either attach it to an already open issue, or start a new feature request issue.
2. Cipher suite selection.
It's useful to restrict the list of cipher suites that can be used, not just for speed (as mentioned in [1]), but also because some cipher suites may be considered insecure by some institutions. This would be a good feature to have indeed.
Yes, I agree.
3. Full chain of certificates.
The PyOpenSSL module is able to take a callback function that verifies each certificate in the chain (using depth). According to the documentation, the ssl module only exposes the first certificate in the chain (no CA). In some applications, it is useful to verify certain policies according to attributes further up in the chain. I'd like to suggest having an "SSLSocket.getpeercerts(binary_form=False)" (plural) that returns a list of certificates in the verification chain.
Feel free to use PyOpenSSL for more complicated applications, like the one you mention, and to file more issues on the Python issue tracker about this. Though, we were striving to have something small and simple in the ssl module, not a feature-full binding to OpenSSL. Oh, and there's also a stdlib-sig, which (since the ssl module is part of the stdlib) might be an appropriate place to discuss it. Bill
Is there a place where the status of the ssl module is summarized
The documentation of the ssl module should describe its features correctly and precisely.
or a better place to discuss this? I could try to provide contributions or further details if appropriate.
For contributions, this is indeed the right place for discussion. For mere inquiries for help, other places are better (such as python-list). For specific feature requests, use the bug tracker. Regards, Martin
participants (3)
-
"Martin v. Löwis" -
Bill Janssen -
Bruno Harbulot