[Python-Dev] Verification of SSL cert and hostname made easy
Antoine Pitrou
solipsis at pitrou.net
Sat Nov 30 23:51:17 CET 2013
On Sat, 30 Nov 2013 19:29:37 +0100
Christian Heimes <christian at python.org> wrote:
> This fix requires only a new SSLContext attribute and a small
> modification to SSLSocket.do_handshake():
>
> if self.context.check_hostname:
> try:
> match_hostname(self.getpeercert(), self.server_hostname)
> except Exception:
> self.shutdown(_SHUT_RDWR)
> self.close()
> raise
Small nit: what happens if the server_hostname is None (i.e. wasn't
passed to context.wrap_socket())?
> The default settings for all stdlib modules will still be verify_mode =
> CERT_NONE and check_hostname = False for maximum backward compatibility.
> Python 3.4 comes with a new function ssl.create_default_context() that
> returns a new context with best practice settings and loaded root CA
> certs. The settings are TLS 1.0, no weak and insecure ciphers (no MD5,
> no RC4), no compression (CRIME attack), CERT_REQUIRED and check_hostname
> = True (for client side only).
Sounds fine to me, thanks.
Regards
Antoine.
More information about the Python-Dev
mailing list