[Python-Dev] PEP 476: Enabling certificate validation by default!

Christian Heimes christian at python.org
Wed Sep 3 00:41:46 CEST 2014

On 02.09.2014 23:32, Antoine Pitrou wrote:
>> Furthermore, "disable verification" is a nonsensical thing to do with TLS.
> It's not. For example, if you have an expired cert, all you can do
> AFAIK is to disable verification.

It's possible to ignore or just warn about expired certs with simple
verify callback. The callback looks like this:

int verify_callback(int ok, X509_STORE_CTX *ctx)
    if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_CERT_HAS_EXPIRED)
        return 1;
    return ok;

It's installed like this:

    PySSLContext *self;
    X509_STORE *store = SSL_CTX_get_cert_store(self->ctx);
    X509_STORE_set_verify_cb(store, verify_callback);

The X509_STORE_CTX struct is created when a certificate chain is
verified. It holds all sorts of states like chain, leaf cert, current
cert that is tested, validation depth, error flags and more. In order to
write useful verify callbacks me or somebody else has to write a
X509_STORE_CTX type and X509 cert type. It's something I want to do for
more than a year but I don't find any spare time. :(


More information about the Python-Dev mailing list