[Python-Dev] More on server-side SSL support
Bill Janssen
janssen at parc.com
Tue Aug 21 02:39:39 CEST 2007
> * Allow certificate validation. This is a bit tricky; typically
> certs are validated against some database of root certificates, so you
> need a whole infrastructure to maintain that database. Currently, we
> don't have one, so no certs can be validated. We could add a switch
> to allow auto-validation of self-signed certs pretty easily. I could
> add a parameter to the SSLObject constructor which would be a filepath
> for a file full of root certs (see SSL_CTX_load_verify_locations(3ssl)).
The simplest way to do verification is to allow the application to
provide a set of root certs that it would like to verify against, and
use the built-in OpenSSL verification procedure.
The OpenSSL CAcerts file format is just a number of certificates
concatenated together, separated by text headers that identify the
boundary:
-----BEGIN CERTIFICATE-----
... (CA certificate in base64 encoding) ...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (another CA certificate in base64 encoding) ...
-----END CERTIFICATE-----
...
I suggest we just use that. Applications which want something fancier
are free to implement something :-).
Bill
More information about the Python-Dev
mailing list