[Python-Dev] PEP 466 (round 2): Network security enhancements for Python 2.7
Antoine Pitrou
solipsis at pitrou.net
Sun Mar 23 14:13:44 CET 2014
On Sun, 23 Mar 2014 17:07:24 +1000
Nick Coghlan <ncoghlan at gmail.com> wrote:
> Another more critical example is the lack of SSL hostname matching in the
> Python 2 standard library - it is currently necessary to rely on a third
> party library, such as ``requests`` or ``backports.ssl_match_hostname`` to
> obtain that functionality in Python 2.
Do note that match_hostname() is a pure Python function and is easy to
paste into your own code (if you don't want to pull in a dependency).
It doesn't need SSLContext or any other recent stuff, just a
certificate dict which Python 2.x is already able to provide
(SSLSocket.getpeercert()).
> Firstly, this PEP encompasses a non-trivial portion of the standard library.
> It's not just the underlying SSL support, but also the libraries for other
> network protocols like HTTP, FTP, IMAP, and POP3 that integrate with the
> SSL infrastructure to provide secure links, and that's just the protocols
> in the standard library.
It's still not obvious what you are proposing to do with these other
libraries. If you are proposing to validate certs against system CAs and
check hostnames by default - you are going to break compatibility for a
lot of current uses.
As Martin I think it would be easier to reason about a concrete backport
proposal.
Regards
Antoine.
More information about the Python-Dev
mailing list