[Patches] [ python-Patches-1114345 ] Add SSL certificate validation

SourceForge.net noreply at sourceforge.net
Wed Jun 21 21:43:53 CEST 2006


Patches item #1114345, was opened at 2005-02-01 18:04
Message generated for change (Comment added) made by jbowes
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=305470&aid=1114345&group_id=5470

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Modules
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: James Eagan (noonian)
Assigned to: Nobody/Anonymous (nobody)
Summary: Add SSL certificate validation

Initial Comment:
One line summary: adds certificate validation to the SSL module 
and programmer-level hooks to control how and whether 
certificate validation is performed.

Details:
The current SSL implementation in python goes through the 
motions of negotiating an SSL connection, but never validates the 
certificates exchanged.  This is like going through the motions of 
checking someone's photo id, but never making sure the picture 
matches the person you're talking to.  This patch fixes that.

This patch adds 3 module-level variables to the socket module, 
which get exposed iff ssl is built in.  These variables (ssl_ca_file, 
ssl_ca_path, and ssl_verify_level) provide programmer-level 
access to the certificate authorities database and to control what 
level of certificate verification is performed (by default, none, as is 
the current behavior).

If certificate verification is enabled, then one of the two certificate 
authority parameters must be set to  a valid certificate authority 
database or all certificate verification operations will fail.  I have 
an example certificate authority database (extracted from the Java 
keystore) that I can provide, but I'm not sure how to contribute 
that through the patch mechanism.

Cheers!
James Eagan

----------------------------------------------------------------------

Comment By: James Bowes (jbowes)
Date: 2006-06-21 14:43

Message:
Logged In: YES 
user_id=1543815

I put together an updated version of this patch against svn
trunk as of June 21, 2006. I also added some additional
documentation to the .tex file.

Maybe someone with sufficient privilidges (or James, if
you're still out there) could attach the updated patch here?

the updated patch is at:
http://www.dangerouslyinc.com/~bowes/ssl_ca.diff

Regards,
James Bowes

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=305470&aid=1114345&group_id=5470


More information about the Patches mailing list