[Python-Dev] pip SSL

Ian Cordasco graffatcolmingov at gmail.com
Sat Oct 19 21:46:06 CEST 2013 

Also the three of us maintaining requests and the author of urllib3
are all very conscious that the packaged pem file is outdated. We have
an open issue about how to rebuild it accurately while taking into
consideration (and not including) the ones that have been revoked. Any
suggestions you have can be sent to me off list or reported on the
issue tracker.

On Sat, Oct 19, 2013 at 12:57 PM, Donald Stufft <donald at stufft.io> wrote:
> One of the reasons we switched to using requests was to help centralize the SSL
> handling code over to requests. So any issues could be fixed there and we just
> pull in a newer version of requests.
>
> On Oct 19, 2013, at 11:52 AM, Christian Heimes <christian at python.org> wrote:
>
>> Signed PGP part
>> Am 19.10.2013 16:59, schrieb Nick Coghlan:
>> > It's the cert verification in pip that's relevant - the PEP was
>> > updated so that ensurepip itself never talks to the internet. So I
>> > guess that would mean checking the cert verification in pip's
>> > vendored copy of requests:
>> > https://github.com/pypa/pip/tree/develop/pip/vendor/requests
>> >
>> > (So I guess if you do find any issues, they would likely be
>> > applicable to the upstream requests package as well)
>>
>> Oh heck, where should I start?
>>
>> The cacert.pem file is outdated. Also it's unclear who has generated
>> the file and how it was generated from certdata.txt. It may very well
>> contain revoked certificates, too. You can find the latest version of
>> the file at
>>
>>
>> http://hg.mozilla.org/mozilla-central/file/tip/security/nss/lib/ckfw/builtins/certdata.txt
>>
>> . A proper tool is required to generate a correct PEM file. It must
>> understand *ALL* fields. I have some code for that but it's not ready yet.
>>
>>
>> pip uses requests and requests rolls its own code for or on top of
>> Python stdlib modules, e.g. urllib3 with ssl_match_hostname. The
>> method has the same security flaw as Python's ssl.match_hostname()
>> function for IDNs. I'm a bit worried that we have to review and
>> validate all 3rd party packages and copies of stdlib modules for issues.
>>
>>
>> The assert_fingerprint() function looks kinda funny. It uses sha1() or
>> md5() on the DER representation of the cert. It's not how you are
>> suppose to take fingerprints for cert pinning. But Python's ssl has no
>> way to get the SPKI from the cert yet. I'm working on that as well.
>>
>> _______________________________________________
>> Python-Dev mailing list
>> Python-Dev at python.org
>> https://mail.python.org/mailman/listinfo/python-dev
>> Unsubscribe: https://mail.python.org/mailman/options/python-dev/donald%40stufft.io
>
>
> -----------------
> Donald Stufft
> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
>
>
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: https://mail.python.org/mailman/options/python-dev/graffatcolmingov%40gmail.com
>

More information about the Python-Dev mailing list