[Python-Dev] ssl module
Bruno.Harbulot at manchester.ac.uk
Thu Oct 29 19:32:29 CET 2009
I would like to ask a few questions and suggestions regarding the ssl
module (in Python 2.6). (I gather from  that there is some effort
going on to enhance the ssl API, but I'm not sure if this is the right
place to discuss it.)
Like other Python users, I was a bit surprised by the lack of
verification of httplib/urllib2 (hence I started to write a small
library a while back, only published today ), but the following
points are not HTTP-specific.
1. Hostname checking.
From what I gather by reading the archives on this list, the issue of
hostname checking seems controversial . It seems widely admitted by
browser communities nowadays to check that the hostname the CN field of
the subject DN or the DNS entries of subjectAltName. I'd feel more
comfortable if this was the default behaviour of the client in Python's
SSL module, although having a mechanism to override this would be useful
indeed. It's more or less a basic security requirement to check the
identity of the server before doing anything else.
2. Cipher suite selection.
It's useful to restrict the list of cipher suites that can be used,
not just for speed (as mentioned in ), but also because some cipher
suites may be considered insecure by some institutions. This would be a
good feature to have indeed.
3. Full chain of certificates.
The PyOpenSSL module is able to take a callback function that
verifies each certificate in the chain (using depth). According to the
documentation, the ssl module only exposes the first certificate in the
chain (no CA). In some applications, it is useful to verify certain
policies according to attributes further up in the chain.
I'd like to suggest having an
"SSLSocket.getpeercerts(binary_form=False)" (plural) that returns a list
of certificates in the verification chain.
Is there a place where the status of the ssl module is summarized, or a
better place to discuss this? I could try to provide contributions or
further details if appropriate.
More information about the Python-Dev