Certificate validation with HTTPSConnection
nagle at animats.com
Wed Sep 29 22:41:15 CEST 2010
On 9/29/2010 1:18 PM, Ned Deily wrote:
> In article<d07279e14b9bbb842bf97b8874f7d05b at ivanov-nest.com>,
> Velko Ivanov<vivanov at ivanov-nest.com> wrote:
>> I've always wandered why HTTPSConnection does not validate
>> It is fairly simple to use the SSL socket's validation:
> Perhaps you can write up your example as a documentation patch to the
> http.client documentation page and submit it to the Python bug tracker
We've been through this. Too many times.
(2005: Broken in Python 2.2, eventually fixed)
(2008: Why this matters)
(2010: Broken in new Python 2.6 SSL module.)
(2010: Developer "Bill Jansen" in denial, others disagree.
Currently being debated. See bug tracker.)
The really stupid thing about the current SSL module is that it
accepts a file of root certificates as a parameter, but ignores it.
So it creates the illusion of security without providing it.
As someone pointed out, the current SSL module "lets you talk
encrypted to your attacker".
More information about the Python-list