[Python-ideas] Expose reasons for SSL/TLS cert verification failures
Chi Hsuan Yen
yan12125 at gmail.com
Fri Sep 9 13:29:35 EDT 2016
On Sat, Sep 10, 2016 at 1:16 AM, Christian Heimes <christian at python.org>
wrote:
> On 2016-09-09 12:23, Chi Hsuan Yen wrote:
> > Hi Python enthusiasts,
> >
> > Currently _ssl.c always reports CERTIFICATE_VERIFY_FAILED for any
> > certification verification errors. In OpenSSL, it's possible to tell
> > from different reasons that lead to CERTIFICATE_VERIFY_FAILED. For
> > example, https://expired.badssl.com/ reports
> > X509_V_ERR_CERT_HAS_EXPIRED, and https://self-signed.badssl.com/ reports
> > X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT. Seems CPython does not expose
> > such information yet? I hope it can be added to CPython. For example,
> > creating a new exception class SSLCertificateError, which is a subclass
> > of SSLError, that provides error codes like
> > X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT. Any ideas?
> >
> > The attachment is a naive try to printf some information about a
> > verification failure. It's just a proof-of-concept and does not provide
> > any practical advantage :)
>
> I'm planning to add a proper validation hook to 3.7. I haven't had time
> to design and implement it for 3.6.
>
> Christian
>
>
> _______________________________________________
> Python-ideas mailing list
> Python-ideas at python.org
> https://mail.python.org/mailman/listinfo/python-ideas
> Code of Conduct: http://python.org/psf/codeofconduct/
>
Thanks for the clarification. I know there are only a few hours before 3.6
feature freeze :) Is there already a bug? If not I can help creating one
and paste related materials for easier tracking.
Best,
Yen Chi Hsuan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20160910/2bf6a223/attachment.html>
More information about the Python-ideas
mailing list