[Python-Dev] Simplify and unify SSL verification

Christian Heimes christian at python.org
Fri Nov 8 01:02:33 CET 2013

Somehow your mail didn't end up on Python-dev

Am 08.11.2013 00:38, schrieb Nick Coghlan:
> In that case, it sounds like you need *two* new options rather than
> one. "verify_hostname", with the None/True/False behaviour and a
> separate postverify hook.

Mmmh, yes, you are making an intriguing point. Two different options
are easier to understand and more powerful.

> It contains the word verify, but if I'm correct in thinking you
> intend for the new callback to be invoked only if the checks
> specified by verify_mode pass, then I would suggest "postverify",
> and skip adding the separate method.

The tests specified by verify_mode are done by OpenSSL during the
protocol handshake. The SSLSocket object has no peer, peer cert and
transport information before the hand shake is done. So yes, these
checks are always done before Python can match the hostname of the
peer's cert and before the postverify hook can run.

OpenSSL has a verify callback hook that is called for each certificate
in the trust chain starting with the peer cert up to a root cert. This
callback is too low level and too complex to be useful for the
majority of users. Python would also have to gain wrappers for
X509_STORE and X509_STORE_CTX objects... You don't want to know the
difference :)

More information about the Python-Dev mailing list