[Python-Dev] SSL certificates recommendations for downstreampython packagers

Steve Dower steve.dower at python.org
Wed Feb 1 09:20:49 EST 2017

Sorry, I misspoke when I said "certificate validation callback", I meant the same callback Cory uses below (name escapes me now, but it's unfortunately similar to what I said). There are two callbacks in OpenSSL, one that allows you to verify each certificate in the chain individually, and one that requires you to validate the entire chain.

I do indeed take the entire chain in one go and pass it to the OS API. Christian also didn't like that I was bypassing *all* of OpenSSL's certificate handling here, but maybe there's a way to make it reliable if Chrome has done it?

Top-posted from my Windows Phone

-----Original Message-----
From: "Cory Benfield" <cory at lukasa.co.uk>
Sent: ‎2/‎1/‎2017 2:03
To: "Steve Dower" <steve.dower at python.org>
Cc: "Christian Heimes" <christian at python.org>; "David Cournapeau" <cournape at gmail.com>; "python-dev" <python-dev at python.org>
Subject: Re: [Python-Dev] SSL certificates recommendations for downstreampython packagers

On 31 Jan 2017, at 18:26, Steve Dower <steve.dower at python.org> wrote:

In short, I want to allow Python code to set OpenSSL's certificate validation callback. Basically, given a raw certificate, return True/False based on whether it should be trusted. I then have separate code (yet to be published) implementing the callback on Windows by calling into the WinVerifyTrust API with the HTTPS provider, which (allegedly) behaves identically to browsers using the same API (again, allegedly - I have absolutely no evidence to support this other than some manual testing).

For context here Steve, this is not quite what Chrome does (and I cannot stress enough that the Chrome approach is the best one I’ve seen, the folks working on it really do know what they’re doing). The reason here is a bit tricky, but essentially the validation callback is called incrementally for each step up the chain. This is not normally what a platform validation API actually wants: generally they want the entire cert chain the remote peer sent at once.

Chrome, instead, essentially disables the OpenSSL cert validation entirely: they still require the certificate be presented, but override the verification callback to always say “yeah that’s cool, no big deal”. They then take the complete cert chain provided by the remote peer and pass that to the platform validation code in one shot after the handshake is complete, but before they send/receive any data on the connection. This is still safe: so long as you don’t actually expose any data before you have validated the certificates you aren’t at risk.

I have actually prototyped this approach for Requests/urllib3 in the past. I wrote a small Rust extension to call into the platform-native code, and then wrapped it in a CFFI library that exposed a single callable to validate a cert chain for a specific hostname (library is here: https://github.com/python-hyper/certitude). This could then be called from urllib3 code that used PyOpenSSL using this patch here: https://github.com/shazow/urllib3/pull/802/files

PLEASE DON’T ACTUALLY USE THIS CODE. I have not validated that certitude does entirely the right things with the platform APIs. This is just an example of a stripped-down version of what Chrome does, as a potential example of how to get something working for your Python use-case.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20170201/54a8af4c/attachment.html>

More information about the Python-Dev mailing list