Certificate validation with HTTPSConnection
John Nagle
nagle at animats.com
Wed Sep 29 16:41:15 EDT 2010
On 9/29/2010 1:18 PM, Ned Deily wrote:
> In article<d07279e14b9bbb842bf97b8874f7d05b at ivanov-nest.com>,
> Velko Ivanov<vivanov at ivanov-nest.com> wrote:
>
>> I've always wandered why HTTPSConnection does not validate
>> certificates?
>>
>> It is fairly simple to use the SSL socket's validation:
> [...]
>
> Perhaps you can write up your example as a documentation patch to the
> http.client documentation page and submit it to the Python bug tracker
> (http://bugs.python.org/).
We've been through this. Too many times.
http://bugs.python.org/issue1114345
(2005: Broken in Python 2.2, eventually fixed)
http://www.justinsamuel.com/2008/12/25/the-importance-of-validating-ssl-certificates/
(2008: Why this matters)
http://www.mail-archive.com/python-list@python.org/msg281736.html
(2010: Broken in new Python 2.6 SSL module.)
http://bugs.python.org/issue1589
(2010: Developer "Bill Jansen" in denial, others disagree.
Currently being debated. See bug tracker.)
The really stupid thing about the current SSL module is that it
accepts a file of root certificates as a parameter, but ignores it.
So it creates the illusion of security without providing it.
As someone pointed out, the current SSL module "lets you talk
encrypted to your attacker".
John Nagle
More information about the Python-list
mailing list