validating HTTPS certificates?
Nobody
nobody at nowhere.com
Fri Jun 26 13:01:24 EDT 2009
On Fri, 26 Jun 2009 10:04:21 +0200, Andras.Horvath wrote:
> (disclaimer: this might be a FAQ entry somewhere but I honestly did use
> Google)
>
> I'm in the process of picking a language for a client application that
> accesses a HTTPS (actually SOAP) server. This would be easy enough in
> Python, but I came across a strange fact: neither httplib nor urllib
> offer the possibility to actually verify the server's certificate.
>
> After some digging I've found that from 2.6 onward, the ssl module
> offers such functionality but it's not trivial, at least for me, to glue
> that to the HTTP protocol modules (and then those to the SOAP module).
>
> Did I miss something? If not, is this feature foreseen, e.g. the trivial
> build-up of a HTTPS connection while verifying the certificate chain?
For a urllib-style interface, there's not much point in performing
verification after the fact. Either the library performs verification or
it doesn't. If it doesn't, you've just sent the (potentially confidential)
request to an unknown server; discovering this after the fact doesn't
really help.
More information about the Python-list
mailing list