[New-bugs-announce] [issue24646] Python accepts SSL certificate that should be rejected on OSX
Jussi Pakkanen
report at bugs.python.org
Thu Jul 16 21:04:33 CEST 2015
New submission from Jussi Pakkanen:
Create a dummy certificate and build an ssl context like this:
ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
ctx.verify_mode = ssl.CERT_REQUIRED
ctx.load_verify_locations(cadata=dummy_certificate)
Then try to connect to a public service like this:
u = urllib.request.urlopen('https://www.google.com', context=ctx)
data = u.read()
Python will validate the server certificate even though it should reject it. Attached is a script to demonstrate this.
This happens with Python 3.4.3 on OSX 10.10.4. Running the same script in Ubuntu raises a certificate rejection exception as expected.
----------
components: Library (Lib)
files: sslbug.py
messages: 246813
nosy: jpakkane
priority: normal
severity: normal
status: open
title: Python accepts SSL certificate that should be rejected on OSX
type: security
versions: Python 3.4
Added file: http://bugs.python.org/file39936/sslbug.py
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue24646>
_______________________________________
More information about the New-bugs-announce
mailing list