[Python-Dev] RFC: Backport ssl.MemoryBIO and ssl.SSLObject to Python 2.7

Cory Benfield cory at lukasa.co.uk
Fri Jun 2 06:39:32 EDT 2017


> On 2 Jun 2017, at 10:42, Victor Stinner <victor.stinner at gmail.com> wrote:
> 
> Writing new code seems more risky and error-prone than backporting
> already "battle-tested" MemoryBIO from master. I also expect that
> writing code to validate certificate will be longer than the "100
> lines of C code in (probably)" expected by Steve Dower.
> 
> rust-certitude counts around 700 lines of Rust and 80 lines of Python
> code. But maybe I misunderstood the purpose of certitude: Steve Dower
> asked to only validate a certificate, not load or export CA.

That’s all certitude does. The docs of certitude are from an older version of the project when I was considering just doing a live-export to PEM file, before I realised the security concerns of that approach.

We’d also require some other code that lives outside certitude. In particular, code needs to be written to handle the OpenSSL verify callback to save off the cert chain and to translate errors appropriately. There’s also a follow-on problem: the ssl module allows you to call SSLContext.load_default_certs and then SSLContext.load_verify_locations. If you do that, those two behave *additively*: both the default certs and custom verify locations are trusted. Certitude doesn’t allow you to do that: it says that if you choose to use the system certs then darn it that’s all you get. Working out how to do that without just importing random stuff into the user’s keychain would be…tricky. Do-able, for sure, but would require code I haven’t written for Certitude (I may have written it using ctypes elsewhere though).

Cory


More information about the Python-Dev mailing list