[Python-Dev] pip SSL
christian at python.org
Sat Oct 19 17:52:48 CEST 2013
-----BEGIN PGP SIGNED MESSAGE-----
Am 19.10.2013 16:59, schrieb Nick Coghlan:
> It's the cert verification in pip that's relevant - the PEP was
> updated so that ensurepip itself never talks to the internet. So I
> guess that would mean checking the cert verification in pip's
> vendored copy of requests:
> (So I guess if you do find any issues, they would likely be
> applicable to the upstream requests package as well)
Oh heck, where should I start?
The cacert.pem file is outdated. Also it's unclear who has generated
the file and how it was generated from certdata.txt. It may very well
contain revoked certificates, too. You can find the latest version of
the file at
. A proper tool is required to generate a correct PEM file. It must
understand *ALL* fields. I have some code for that but it's not ready yet.
pip uses requests and requests rolls its own code for or on top of
Python stdlib modules, e.g. urllib3 with ssl_match_hostname. The
method has the same security flaw as Python's ssl.match_hostname()
function for IDNs. I'm a bit worried that we have to review and
validate all 3rd party packages and copies of stdlib modules for issues.
The assert_fingerprint() function looks kinda funny. It uses sha1() or
md5() on the DER representation of the cert. It's not how you are
suppose to take fingerprints for cert pinning. But Python's ssl has no
way to get the SPKI from the cert yet. I'm working on that as well.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the Python-Dev