[Catalog-sig] [PSF-Members] SSL validationg
Jesse Noller
jnoller at gmail.com
Mon Feb 4 18:09:39 CET 2013
On Monday, February 4, 2013 at 11:15 AM, Giovanni Bajo wrote:
> Il giorno 04/feb/2013, alle ore 17:04, "Antoine Pitrou" <solipsis at pitrou.net (mailto:solipsis at pitrou.net)> ha scritto:
>
> >
> > Hi,
> >
> > > Il giorno 04/feb/2013, alle ore 16:02, Laurens Van Houtven <_ at lvh.cc (mailto:_ at lvh.cc)> ha
> > > scritto:
> > >
> > > > On Mon, Feb 4, 2013 at 3:51 PM, Giovanni Bajo <rasky at develer.com (mailto:rasky at develer.com)> wrote:
> > > > >
> > > > >
> > > > > (That reminds me; does the stdlib still ignore OCSP?)
> > > > >
> > > > > TBH, it's worse than that; it doesn't even check SSL certificates by
> > > > > default. The default is to ignore any certificate sent by the server
> > > > > and get on with the connection.
> > > >
> > > >
> > > >
> > > > Right, but IIUC you can at least convince it to do verify certs by
> > > > setting the appropriate flag;
> > >
> > >
> > >
> > > Something like that; it's missing an (auto-updating) CA bundle or a way to
> > > read the operating system's one, and a function that matches the server
> > > name with either CN and SAN fields with the correct wildcard rules (this
> > > was added in Python 3.2).
> >
> >
> >
> > SSLContext is your friend:
> > http://docs.python.org/3.3/library/ssl.html#ssl.SSLContext.set_default_verify_paths
>
>
>
> Thanks for the pointer, but that's 3.2+ only. We need a working solution for all versions supported by pip, if we treat is as a security bug (I think we should).
I concur very strongly. Since this issue has come out I've had more and more proof of concepts/issues brought to my attention in this arena. I'm working on collecting notes and other items to move forward with in a single document. As needed I will be working on having the PSF fund needed areas.
jesse
More information about the Catalog-SIG
mailing list