Expose reasons for SSL/TLS cert verification failures
Hi Python enthusiasts, Currently _ssl.c always reports CERTIFICATE_VERIFY_FAILED for any certification verification errors. In OpenSSL, it's possible to tell from different reasons that lead to CERTIFICATE_VERIFY_FAILED. For example, https://expired.badssl.com/ reports X509_V_ERR_CERT_HAS_EXPIRED, and https://self-signed.badssl.com/ reports X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT. Seems CPython does not expose such information yet? I hope it can be added to CPython. For example, creating a new exception class SSLCertificateError, which is a subclass of SSLError, that provides error codes like X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT. Any ideas? The attachment is a naive try to printf some information about a verification failure. It's just a proof-of-concept and does not provide any practical advantage :) Best, Yen Chi Hsuan
On 2016-09-09 12:23, Chi Hsuan Yen wrote:
Hi Python enthusiasts,
Currently _ssl.c always reports CERTIFICATE_VERIFY_FAILED for any certification verification errors. In OpenSSL, it's possible to tell from different reasons that lead to CERTIFICATE_VERIFY_FAILED. For example, https://expired.badssl.com/ reports X509_V_ERR_CERT_HAS_EXPIRED, and https://self-signed.badssl.com/ reports X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT. Seems CPython does not expose such information yet? I hope it can be added to CPython. For example, creating a new exception class SSLCertificateError, which is a subclass of SSLError, that provides error codes like X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT. Any ideas?
The attachment is a naive try to printf some information about a verification failure. It's just a proof-of-concept and does not provide any practical advantage :)
I'm planning to add a proper validation hook to 3.7. I haven't had time to design and implement it for 3.6. Christian
On Sat, Sep 10, 2016 at 1:16 AM, Christian Heimes <christian@python.org> wrote:
On 2016-09-09 12:23, Chi Hsuan Yen wrote:
Hi Python enthusiasts,
Currently _ssl.c always reports CERTIFICATE_VERIFY_FAILED for any certification verification errors. In OpenSSL, it's possible to tell from different reasons that lead to CERTIFICATE_VERIFY_FAILED. For example, https://expired.badssl.com/ reports X509_V_ERR_CERT_HAS_EXPIRED, and https://self-signed.badssl.com/ reports X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT. Seems CPython does not expose such information yet? I hope it can be added to CPython. For example, creating a new exception class SSLCertificateError, which is a subclass of SSLError, that provides error codes like X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT. Any ideas?
The attachment is a naive try to printf some information about a verification failure. It's just a proof-of-concept and does not provide any practical advantage :)
I'm planning to add a proper validation hook to 3.7. I haven't had time to design and implement it for 3.6.
Christian
_______________________________________________ Python-ideas mailing list Python-ideas@python.org https://mail.python.org/mailman/listinfo/python-ideas Code of Conduct: http://python.org/psf/codeofconduct/
Thanks for the clarification. I know there are only a few hours before 3.6 feature freeze :) Is there already a bug? If not I can help creating one and paste related materials for easier tracking. Best, Yen Chi Hsuan
participants (2)
-
Chi Hsuan Yen -
Christian Heimes