[Python-Dev] pip SSL
Christian Heimes
christian at python.org
Sat Oct 19 17:52:48 CEST 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Am 19.10.2013 16:59, schrieb Nick Coghlan:
> It's the cert verification in pip that's relevant - the PEP was
> updated so that ensurepip itself never talks to the internet. So I
> guess that would mean checking the cert verification in pip's
> vendored copy of requests:
> https://github.com/pypa/pip/tree/develop/pip/vendor/requests
>
> (So I guess if you do find any issues, they would likely be
> applicable to the upstream requests package as well)
Oh heck, where should I start?
The cacert.pem file is outdated. Also it's unclear who has generated
the file and how it was generated from certdata.txt. It may very well
contain revoked certificates, too. You can find the latest version of
the file at
http://hg.mozilla.org/mozilla-central/file/tip/security/nss/lib/ckfw/builtins/certdata.txt
. A proper tool is required to generate a correct PEM file. It must
understand *ALL* fields. I have some code for that but it's not ready yet.
pip uses requests and requests rolls its own code for or on top of
Python stdlib modules, e.g. urllib3 with ssl_match_hostname. The
method has the same security flaw as Python's ssl.match_hostname()
function for IDNs. I'm a bit worried that we have to review and
validate all 3rd party packages and copies of stdlib modules for issues.
The assert_fingerprint() function looks kinda funny. It uses sha1() or
md5() on the DER representation of the cert. It's not how you are
suppose to take fingerprints for cert pinning. But Python's ssl has no
way to get the SPKI from the cert yet. I'm working on that as well.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCgAGBQJSYqrBAAoJEMeIxMHUVQ1FeSAP/3C4g3Sp6Fg976C5eihDpuLo
VKB83nf708iwR990lJ6AYAiHDRjwVk6ssgYX4EfA3qQqjiAOykIQKZYcYrBA36lT
FDn3gIXkh6x1QnwEOopGqrdbhSbDqPB57zRAZrmzJp8JTvOx4FYVgmx6bi2yumst
w2m+ovWjxzUOlr1V7LM2/vzxSJXLyg+Espps3kDgX96qZvHXCfn/M39Y5R39on7v
Er3qmD5aHEOnVnA1cH/OC7O8uJm8dPrm7wocztErZWyy006chW2B8edvFpjW8iEn
StYxNw7Ko6jr2ncCwAKntVavGRtbHJowaF4l4yTCZ6suCx+LAzy7O+X90Ic1LknN
o/RLSfJeyhUOHpADwloKfjRuPk2twq46z96GauoFBThaBCca7mRS29EudWG54Dn1
tT1/7+b3FfiU1GmWqzTpxgrJiRREk+XTEVCmhq2XUdBnGQI7G6RT9BefVfYzep06
Z0hKWdIR2moC21iPcBMIOnXqscaMHjvcVOnScv05UiE5et0fB8lAfoZJ9u1G5UC4
vkifZpfOfCDMh3HXSCiRp2TEUo/GPy35P/8Tk1O602nGj3oRxPJ1fdOlIexu+9bV
S/kGwMjhyLQHDp0786AwDnv/NNOK6hJHCiZLLqX6F0+K4RdlRRd/6lVvyxKGT8ca
OXxoornL8iyvEnyti7cq
=BTNE
-----END PGP SIGNATURE-----
More information about the Python-Dev
mailing list