[Python-Dev] Verification of SSL cert and hostname made easy

Christian Heimes christian at python.org
Sun Dec 1 02:53:32 CET 2013


Am 30.11.2013 23:51, schrieb Antoine Pitrou:
> Small nit: what happens if the server_hostname is None (i.e. wasn't
> passed to context.wrap_socket())?

The code will raise an exception. My patch already implements a more
verbose ValueError that explains the cause of the problem. It's flaw in
code, that calls context.wrap_socket. Erroneous code will no longer pass
silently.

The patch also ensures a valid combination of verify_mode and
check_hostname:

>>> context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
>>> context.check_hostname = True
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ValueError: check_hostname needs a SSL context with either CERT_OPTIONAL
or CERT_REQUIRED
>>> context.verify_mode = ssl.CERT_REQUIRED
>>> context.check_hostname = True
>>> context.verify_mode = ssl.CERT_NONE
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ValueError: Cannot set verify_mode to CERT_NONE when check_hostname is
enabled.


It's only a limitation of the Python API, getpeercert() returns {} for
an unverified cert. OpenSSL can still returns the cert, though.

Christian


More information about the Python-Dev mailing list