[Python-Dev] [engineering.redhat.com #216557] [Fwd: Validating SSL By Default (aka Including a Cert Bundle in CPython)]

[Red Hat Security Response Team]

Hello David, Donald,

  David, thank you for sharing these intentions with us.

On Mon Jun 03 15:56:09 2013, dmalcolm at redhat.com wrote:
> 
> As of right now, as far as I can tell, Python does not validate HTTPS certificates by default. As far as I can tell this
> is because there is no guaranteed certificates available.
>
> So I would like to propose that CPython adopt the Mozilla SSL certificate list and include it in core, and switch over
> the API's so that they verify HTTPS by default.

Donald, we would only welcome this enhancement / proposal. To mention
some examples - urllib2 and httplib modules:
  http://docs.python.org/2/library/urllib2.html
  http://docs.python.org/2/library/httplib.html

are documented upstream not to perform SSL certificate verification by default
(and due this fact there has been couple of CVE identifiers assigned in the past
for applications that incorrectly assumed certificates would be validated when
using these modules).

So any enhancement, which can upstream done in this area, would be only welcome.

> This is what most people are going to expect when using a https url 
> (Especially after learning that Python 2.x doesn't verify TLS, but Python 3.x "does").
> 
> Ideally this would take the shape of attempting to locate the system certificate store if possible, and if that doesn't
> work falling back to the bundled certificates. That way the various Linux distros can easily have their copies of Python
> depend soley on their built in certs, but Windows, OSX, Source compiles etc will all still have a fallback value.

AFAWCT that proposal looks reasonable.

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

>
> -----------------
> Donald Stufft
> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
> 
>