[Python-Dev] SSL Certificate Validation

"Martin v. Löwis" martin at v.loewis.de
Tue Jun 16 22:14:35 CEST 2009


>> This question is really off-topic for python-dev. As a python-dev
>> poster, you should do research upfront, and only post on what you
>> consider facts.
> 
> Martin, I told him to ask his question about _ssl internals on
> python-dev as he is new, and looking to work on some of the
> internals/make a patch for core. I didn't think that asking internals
> questions was a faux pas for the list, especially as he's looking to
> submit a patch to core.

Hmm. For somebody new to Python, I'm fairly skeptical that the SSL
module is the best starting point.

>>> Where I'm going with this is I think all this checking needs to be part
>>> of certificate validation in the ssl module. If it isn't yet, I'd be
>>> happy to work on a patch for it. Please let me know what you think.
>> I think you need to familiarize yourself much more with OpenSSL.
> 
> I don't think that's called for, he is attempting to familiarize
> himself and simply inquiring about some of the internals. I'm sure
> he'll know plenty by the time the patch is more fully formed.

But I really do believe that this is what he need to do next:
familiarize himself with OpenSSL. There is a lot of APIs in that
library, and it takes a while (i.e.: several months) to get
productive, in particular since OpenSSL doesn't have the most
intuitive API.

>From "I want to know what features it currently has" to "I can
contribute new features" is really a looong way here.

To give a little more guidance: find out what
SSL_CTX_use_certificate_chain_file and SSL_CTX_set_verify do.
Finding that out is really out of scope of python-dev, since
it has nothing to do with Python.

Regards,
Martin


More information about the Python-Dev mailing list