"ssl" module doesn't validate that domain of certificate is correct
exarkun at twistedmatrix.com
exarkun at twistedmatrix.com
Mon Apr 19 16:37:41 EDT 2010
On 05:49 pm, nagle at animats.com wrote:
>exarkun at twistedmatrix.com wrote:
>>On 04:51 pm, nagle at animats.com wrote:
>>> I'm converting some code from M2Crypto to the new "ssl" module,
>>>and
>>>I've found what looks like a security hole. The "ssl" module will
>>>validate the certificate chain, but it doesn't check that the
>>>certificate
>>>is valid for the domain.
>...
>>It's a bit debatable. There probably should be a way to make this
>>happen, but it's far from clear that it's the only correct behavior.
>>And, as it turns out, there is a way to make it happen - call
>>getpeercert() and perform the check yourself. ;)
>
> "Checking it yourself" is non-trivial.
Yes. It'd be nice to having something in the stdlib which accepted a
hostname and a certificate and told you if they line up or not.
>The SSL module doesn't seem to let you read all the cert extensions,
Yes. That sucks. It was argued about on python-dev and ultimately the
people writing the code didn't want to expose everything. I don't
remember the exact argument for that position.
> It's very bad for the "ssl" module to both ignore this check and
>not have that mentioned prominently in the documentation.
I agree. As I said, I think the behavior should be well documented.
Jean-Paul
More information about the Python-list
mailing list