[Python-Dev] Let's make the SSL module sane
Christian Heimes
christian at python.org
Sat Sep 10 14:23:13 EDT 2016
On 2016-09-10 18:24, Donald Stufft wrote:
>
>> On Sep 10, 2016, at 10:22 AM, Christian Heimes <christian at python.org> wrote:
>>
>> I don't load any certs because it is not possible to remove a cert or
>> X509 lookup once it is loaded. create_default_context() just have to
>> load the certs and set more secure ciper suites.
>
>
> This part is the most concerning to me, though I understand why it’s the case. Perhaps we can do something a little tricky to allow both things to happen? IOW do sort of a late binding of a call to loading the default certificates if no other certificates has been loaded when the call to SSLContext().wrap_socket() has been made.
>
> So we’d do something like:
>
>
> class SSLContext:
> def __init__(self, …):
> self._loaded_certificates = False
> … # Do Other Stuff
>
> def load_default_certs(self, …):
> self._loaded_certificates = True
> … # Do Other Stuff
>
> def load_verify_locations(self, …):
> self._loaded_certificates = True
> … # Do Other Stuff
>
> def wrap_socket(self, …):
> if not self._loaded_certificates:
> self.load_default_certs()
>
> … # Do Other Stuff
>
>
> That way if someone does something like:
>
> ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
> ctx.load_verify_locations(cafile=“…”)
> ctx.wrap_socket(…)
>
> Then they don’t get any default certificates added, HOWEVER if they do:
>
> ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
> ctx.wrap_socket(…)
>
> Then they do.
>
> The main draw back I can see with this is that you can’t wrap a socket and then add certificates after the fact… but I don’t even know if that makes sense to do?
It's a bit too clever and tricky for my taste. I prefer 'explicit is
better than implicit' for trust anchors. My main concern are secure
default settings. A SSLContext should be secure w/o further settings in
order to prevent developers to shoot themselves in the knee.
Missing root certs are not a direct security issue with CERT_REQUIRED.
The connection will simply fail. I'd rather improve the error message
than to auto-load certs.
Christian
More information about the Python-Dev
mailing list