[Python-Dev] PEP 476: Enabling certificate validation by default!

[Antoine Pitrou]

On Fri, 29 Aug 2014 17:11:35 -0400
Donald Stufft <donald at stufft.io> wrote:
> 
> Another problem with this is that I don’t think it’s actually
> possible to do. Python itself isn’t validating the TLS certificates,
> OpenSSL is doing that. To my knowledge OpenSSL doesn’t
> have a way to say “please validate these certificates and if
> they don’t validate go ahead and keep going and just let me
> get a warning from it”.

Actually, there may be a solution.
In client mode, OpenSSL always verifies the server cert chain and
stores the verification result in the SSL structure. It will then only
report an error if the verify mode is not SSL_VERIFY_NONE.
(see ssl3_get_server_certificate() in s3_clnt.c)

The verification result should then be readable using
SSL_get_verify_result(), even with SSL_VERIFY_NONE.

(note this is only from reading the source code and needs verifying)

Then we could have the following transition phase:
- define a new CERT_WARN value for SSLContext.verify_mode
- use that value as the default in the HTTP stack (people who want the
  old silent default will have to set verify_mode explicitly to
  VERIFY_NONE)
- with CERT_WARN, SSL_VERIFY_NONE is passed to OpenSSL and Python
  manually calls SSL_get_verify_result() after a handshake; if there
  was a verification error, a warning is printed out

And in the following version we switch the HTTP default to
CERT_REQUIRED.

Regards

Antoine.