[Python-Dev] Let's make the SSL module sane

Donald Stufft donald at stufft.io
Sat Sep 10 12:24:13 EDT 2016


> On Sep 10, 2016, at 10:22 AM, Christian Heimes <christian at python.org> wrote:
> 
> I don't load any certs because it is not possible to remove a cert or
> X509 lookup once it is loaded. create_default_context() just have to
> load the certs and set more secure ciper suites.


This part is the most concerning to me, though I understand why it’s the case. Perhaps we can do something a little tricky to allow both things to happen? IOW do sort of a late binding of a call to loading the default certificates if no other certificates has been loaded when the call to SSLContext().wrap_socket() has been made.

So we’d do something like:


class SSLContext:
    def __init__(self, …):
        self._loaded_certificates = False
        …  # Do Other Stuff

    def load_default_certs(self, …):
        self._loaded_certificates = True
        …  # Do Other Stuff

    def load_verify_locations(self, …):
        self._loaded_certificates = True
        …  # Do Other Stuff

    def wrap_socket(self, …):
        if not self._loaded_certificates:
            self.load_default_certs()

        …  # Do Other Stuff


That way if someone does something like:

ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
ctx.load_verify_locations(cafile=“…”)
ctx.wrap_socket(…)

Then they don’t get any default certificates added, HOWEVER if they do:

ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
ctx.wrap_socket(…)

Then they do.

The main draw back I can see with this is that you can’t wrap a socket and then add certificates after the fact… but I don’t even know if that makes sense to do?

—
Donald Stufft





More information about the Python-Dev mailing list