[Python-ideas] ssl module: validated certificate chain

Wed Oct 28 20:21:52 EDT 2015

I'm in favor of this. I don't know if we'd ever land this kind of change
(new feature) in existing stable 2.7 or 3.4/3.5 releases, but for strictly
security related things like this we have done so in the past.  If nothing
else, there is no reason not to have this in 3.6.  It is good for the
future.

-gps

On Tue, Oct 27, 2015 at 5:45 PM Cory Benfield <cory at lukasa.co.uk> wrote:

> All,
>
> I’m currently working on adding support for HPKP to the Requests and
> urllib3 modules. HPKP (HTTP Public Key Pinning), specified in RFC 7469, is
> an extension to HTTP that allows a web server to specify a whitelist of
> public keys that are valid for TLS certificates on that domain. This
> prevents a rogue certificate authority from issuing a certificate that
> would be trusted by a browser and would allow a man-in-the-middle attack on
> a domain (as happened to Google in 2013[0]).
>
> Right now, the draft version of the support I have will only work when you
> use PyOpenSSL for your TLS needs, not the standard library. This is because
> to get HPKP to work I need access to the validated certificate chain: that
> is, the certificate chain that OpenSSL has built and validated for the TLS
> connection. I also need to be able to work with those certificates in order
> to extract their public keys. The standard library’s ssl module does not
> expose any of this functionality.
>
> I want to get an idea of whether people believe it should be possible to
> access this functionality in the standard library. It would require the
> following things from the standard library:
>
> 1. The ability to access the validated certificate chain. This requires
> saving off the certificate each time the OpenSSL verify callback is called.
> This is an easy enough change to make.
> 2. The ability to extract the public key from the saved certificates. This
> could be done by extending the logic used for getpeercert() to provide a
> DER-encoded ASN.1 representation of the public key in the dictionary, and
> then using that representation for each cert in the peer cert chain.
>
> The motivation for making this available in the standard library would be
> pip. Right now python.org and all its subdomains (including
> pypi.python.org) are HPKP-enabled. Making this support available in the
> standard library would ensure that all pip installations are safe from
> man-in-the-middle attacks on its packaging infrastructure. Without it, a
> number of third-party packages would be required to add this security.
>
> I’m happy to do the work required to provide this functionality, but I’d
> only like to start work if people believe there’s a likelihood of getting
> it merged.
>
> Thanks,
>
> Cory
>
>
> [0]:
> https://nakedsecurity.sophos.com/2013/01/08/the-turktrust-ssl-certificate-fiasco-what-happened-and-what-happens-next/
> _______________________________________________
> Python-ideas mailing list
> Python-ideas at python.org
> https://mail.python.org/mailman/listinfo/python-ideas
> Code of Conduct: http://python.org/psf/codeofconduct/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20151029/5f5e710b/attachment.html>