Python and SSL

John Nagle nagle at animats.com
Mon Oct 1 19:32:35 CEST 2007


Martin v. Löwis wrote:
>>> No, as Martin points out, Python trusts EVERY certificate, which of
>>> course misses the whole point of certificates.  Whatever is making
>>> your program fail is something different.
>> Paul, are you sure for 100%. It is hard to belive.
> 
> Not sure how many confirmations you want, but I can add another one.
> Paul is 100% correct. Python's SSL module, as shipped in Python 2.5.x
> and earlier, performs no verification of the server certificate
> whatsoever; it will silently accept any server certificate as correct.
> 
> Regards,
> Martin

      Actually, the SSL certificate has to be in valid format, because
OpenSSL does require that.  But there's no verification of the certificate
chain in Python's SSL module; it doesn't matter who signed it.  You can
create your own SSL certificates (there are tools for this) and Python's
SSL module will accept that.

      If you have a site that won't open with Python's stock SSL module,
try opening it with a browser.  If you get a warning message about the
certificate issuer not being validated, that's something Python will
ignore.  If you can't open the site with HTTPS at all, even after bypassing
warning messages, then the certificate at the other end may be nonexistent
or invalid.

				John Nagle



More information about the Python-list mailing list