[New-bugs-announce] [issue18735] SSL/TLS pinning for the ssl module

raymontag report at bugs.python.org
Wed Aug 14 13:21:30 CEST 2013

New submission from raymontag:


I would like to see an implementation for SSL/TLS pinning in the sll module of the standard library.

At this moment it's only possible to give the client a CAcert and check if the server's certificate is signed with this CA by creating a ssl.Context object with ssl.Context("/path/to/cafile"). If I don't know the server's certificate, that is I just have the root certificate, this is okay. But if I implement my own server/client structure I know the server's certificate. And here comes pinning into play: If I know server's certificate I could not only check if it's signed with my CA but also if it is the specific certificate I've signed. This is a better protection against MITM e.g. and would be a great enhancement of the ssl module IMHO.


messages: 195130
nosy: raymontag
priority: normal
severity: normal
status: open
title: SSL/TLS pinning for the ssl module
type: enhancement

Python tracker <report at bugs.python.org>

More information about the New-bugs-announce mailing list