[Patches] [ python-Patches-1114345 ] Add SSL certificate validation
SourceForge.net
noreply at sourceforge.net
Wed Apr 25 10:33:05 CEST 2007
Patches item #1114345, was opened at 2005-02-02 00:04
Message generated for change (Comment added) made by vila-sf
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=305470&aid=1114345&group_id=5470
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Modules
Group: None
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: James Eagan (noonian)
Assigned to: Nobody/Anonymous (nobody)
Summary: Add SSL certificate validation
Initial Comment:
One line summary: adds certificate validation to the SSL module
and programmer-level hooks to control how and whether
certificate validation is performed.
Details:
The current SSL implementation in python goes through the
motions of negotiating an SSL connection, but never validates the
certificates exchanged. This is like going through the motions of
checking someone's photo id, but never making sure the picture
matches the person you're talking to. This patch fixes that.
This patch adds 3 module-level variables to the socket module,
which get exposed iff ssl is built in. These variables (ssl_ca_file,
ssl_ca_path, and ssl_verify_level) provide programmer-level
access to the certificate authorities database and to control what
level of certificate verification is performed (by default, none, as is
the current behavior).
If certificate verification is enabled, then one of the two certificate
authority parameters must be set to a valid certificate authority
database or all certificate verification operations will fail. I have
an example certificate authority database (extracted from the Java
keystore) that I can provide, but I'm not sure how to contribute
that through the patch mechanism.
Cheers!
James Eagan
----------------------------------------------------------------------
Comment By: vila-sf (vila-sf)
Date: 2007-04-25 10:33
Message:
Logged In: YES
user_id=1584517
Originator: NO
Like nagle, I have a need for this.
But the updated patch is now returning a 404 :-(
Since we are at still three interested by that patch, what can we do ?
----------------------------------------------------------------------
Comment By: James Eagan (noonian)
Date: 2006-11-30 22:09
Message:
Logged In: YES
user_id=31389
Originator: YES
I'd be happy to make the changes löwis suggested, but it will be quite a
while before I can find the necessary time. If anyone else can update the
docs and tests, please let me know!
----------------------------------------------------------------------
Comment By: Martin v. Löwis (loewis)
Date: 2006-11-30 21:50
Message:
Logged In: YES
user_id=21627
Originator: NO
The patch is not integrated because nobody had the time to review it;
this, in turn, did not happen because we lack reviewers.
A quick review reveals that the patch is incomplete: it does not provide
changes to the documentation (which it needs to, because it introduces a
new feature).
The patch also includes no changes to the test suite.
----------------------------------------------------------------------
Comment By: John Nagle (nagle)
Date: 2006-11-30 21:13
Message:
Logged In: YES
user_id=5571
Originator: NO
This has been pending for a few months, and there's a fix, but it's not in
yet. What's going on?
I just had Python accept a totally bogus certificate from
"www.amaison.co.uk".
The certificate contents are
C = --
ST = SomeState
L = SomeCity
O = SomeOrganization
OU = SomeOrganizationalUnit
CN = localhost.localdomain
emailAddress = root at localhost.localdomain
Issuer identity:
C = --
ST = SomeState
L = SomeCity
O = SomeOrganization
OU = SomeOrganizationalUnit
CN = localhost.localdomain
emailAddress = root at localhost.localdomain
Python is perfectly happy with that. Which is embarassing.
----------------------------------------------------------------------
Comment By: Gustavo J. A. M. Carneiro (gustavo)
Date: 2006-11-09 16:20
Message:
Logged In: YES
user_id=908
> This patch adds 3 module-level variables to the socket
module, which get exposed iff ssl is built in. These
variables (ssl_ca_file, ssl_ca_path, and ssl_verify_level)
provide programmer-level access to the certificate
authorities database and to control what level of
certificate verification is performed (by default, none, as
is the current behavior).
Are you sure it's a good idea to have this kind of 'global'
control over certification authorities? Global
configurations are handy at first, but they come back and
bite us when we least expect it...
----------------------------------------------------------------------
Comment By: James Eagan (noonian)
Date: 2006-11-09 15:43
Message:
Logged In: YES
user_id=31389
Nagle: I haven't heard anything from anyone besides you and jbowes abou
this patch here or on the python-dev list, and I haven't had time to
follow up. You might have more success via the email list. (Or, if any of
the python maintainers is reading this, do you have any suggestions to
make this patch more attractive?)
----------------------------------------------------------------------
Comment By: John Nagle (nagle)
Date: 2006-11-09 05:14
Message:
Logged In: YES
user_id=5571
What's the status of this? Is it going in? I have a need
for it. Thanks.
----------------------------------------------------------------------
Comment By: James Bowes (jbowes)
Date: 2006-06-21 21:43
Message:
Logged In: YES
user_id=1543815
I put together an updated version of this patch against svn
trunk as of June 21, 2006. I also added some additional
documentation to the .tex file.
Maybe someone with sufficient privilidges (or James, if
you're still out there) could attach the updated patch here?
the updated patch is at:
http://www.dangerouslyinc.com/~bowes/ssl_ca.diff
Regards,
James Bowes
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=305470&aid=1114345&group_id=5470
More information about the Patches
mailing list