[Python-Dev] PEP 476: Enabling certificate validation by default!

M.-A. Lemburg mal at egenix.com
Sat Aug 30 12:46:47 CEST 2014


On 30.08.2014 12:40, Antoine Pitrou wrote:
> On Sat, 30 Aug 2014 12:19:11 +0200
> "M.-A. Lemburg" <mal at egenix.com> wrote:
>>> To add to the PEP:
>>>
>>> * Emit a warning in 3.4.next for cases that would raise a Exception in 3.5
>>> * Clearly state that the existing OpenSSL environment variables will be
>>>   respected for setting the trust root
>>
>> I'd also suggest to compile Python with OPENSSL_LOAD_CONF, since that
>> causes OpenSSL to read the global openssl.cnf file for additional
>> configuration.
> 
> Python links against OpenSSL as a shared library, not statically. It's
> unlikely that setting a compile constant inside Python would affect
> OpenSSL at all.

The change is to the OpenSSL API, not the OpenSSL lib. By setting
the variable you enable a few special calls to the config loader
functions in OpenSSL when calling the initializer it:

https://www.openssl.org/docs/crypto/OPENSSL_config.html

>>> Discussion points:
>>>
>>> * Disabling verification entirely externally to the program, through a CLI flag
>>>   or environment variable. I'm pretty down on this idea, the problem you hit is
>>>   that it's a pretty blunt instrument to swing, and it's almost impossible to
>>>   imagine it not hitting things it shouldn't; it's far too likely to be used in
>>>   applications that make two sets of outbound connections: 1) to some internal
>>>   service which you want to disable verification on, and 2) some external
>>>   service which needs strong validation. A global flag causes the latter to
>>>   fail silently when subjected to a MITM attack, and that's exactly what we're
>>>   trying to avoid. It also makes things much harder for library authors: I
>>>   write an API client for some API, and make TLS connections to it. I want
>>>   those to be verified by default. I can't even rely on the httplib defaults,
>>>   because someone might disable them from the outside.
>>
>> The reasoning here is the same as for hash randomization. There
>> are cases where you want to test your application using self-signed
>> certificates which don't validate against the system CA root list.
> 
> That use case should be served with the SSL_CERT_DIR and SSL_CERT_FILE
> env vars (or, better, by specific settings *inside* the application).
> 
> I'm against multiplying environment variables, as it makes it more
> difficult to assess the actual security of a setting. The danger of an
> ill-secure setting is much more severe than with hash randomization.

You have a point there. So how about just a python run-time switch
and no env var ?

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Aug 30 2014)
>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________
2014-08-27: Released eGenix PyRun 2.0.1 ...       http://egenix.com/go62
2014-09-19: PyCon UK 2014, Coventry, UK ...                20 days to go
2014-09-27: PyDDF Sprint 2014 ...                          28 days to go

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/


More information about the Python-Dev mailing list