Python and SSL

John Nagle nagle at animats.com
Sat Sep 29 17:25:49 CEST 2007


Paul Rubin wrote:
> "Martin v. Löwis" <martin at v.loewis.de> writes:
>>> But how can I tell my Python program to trust my SSL certificate?
>> Why do you want to tell it that? The SSL module will trust *any*
>> server certificate, no need to tell it explicitly which ones to
>> trust.
> 
> Er, the whole idea of SSL is that you don't trust the connection.  So
> failing to authenticate the other end is a security failure and SSL
> should not be used that way.  From RFC 4346:
> 
>    Warning: Completely anonymous connections only provide protection
>             against passive eavesdropping.  Unless an independent
>             tamper-proof channel is used to verify that the finished
>             messages were not replaced by an attacker, server
>             authentication is required in environments where active
>             man-in-the-middle attacks are a concern.

     Right.  The key point here is that Python's standard SSL module
doesn't actually check the validity of SSL certificates.  It just
makes client connections without checking.  It will happily connect
to sites offering totally bogus certificates, even ones with the wrong
domain name.

     M2Crypto actually checks.  M2Crypto has much better functionality,
but it's rather hard to build.

				John Nagle



More information about the Python-list mailing list