[Python-Dev] ssl module

Bruno Harbulot Bruno.Harbulot at manchester.ac.uk
Thu Oct 29 19:32:29 CET 2009 

Hello,

I would like to ask a few questions and suggestions regarding the ssl 
module (in Python 2.6). (I gather from [1] that there is some effort 
going on to enhance the ssl API, but I'm not sure if this is the right 
place to discuss it.)

Like other Python users, I was a bit surprised by the lack of 
verification of httplib/urllib2 (hence I started to write a small 
library a while back, only published today [2]), but the following 
points are not HTTP-specific.

1. Hostname checking.

   From what I gather by reading the archives on this list, the issue of 
hostname checking seems controversial [3]. It seems widely admitted by 
browser communities nowadays to check that the hostname the CN field of 
the subject DN or the DNS entries of subjectAltName. I'd feel more 
comfortable if this was the default behaviour of the client in Python's 
SSL module, although having a mechanism to override this would be useful 
indeed. It's more or less a basic security requirement to check the 
identity of the server before doing anything else.


2. Cipher suite selection.

   It's useful to restrict the list of cipher suites that can be used, 
not just for speed (as mentioned in [1]), but also because some cipher 
suites may be considered insecure by some institutions. This would be a 
good feature to have indeed.


3. Full chain of certificates.

   The PyOpenSSL module is able to take a callback function that 
verifies each certificate in the chain (using depth). According to the 
documentation, the ssl module only exposes the first certificate in the 
chain (no CA). In some applications, it is useful to verify certain 
policies according to attributes further up in the chain.
I'd like to suggest having an 
"SSLSocket.getpeercerts(binary_form=False)" (plural) that returns a list 
of certificates in the verification chain.


Is there a place where the status of the ssl module is summarized, or a 
better place to discuss this? I could try to provide contributions or 
further details if appropriate.


Best wishes,

Bruno.



[1] http://mail.python.org/pipermail/python-dev/2009-September/091636.html
[2] http://code.google.com/p/python-httpclient
[2] http://bugs.python.org/issue1589

More information about the Python-Dev mailing list