Certificate validation with HTTPSConnection

John Nagle nagle at animats.com
Wed Sep 29 22:41:15 CEST 2010


On 9/29/2010 1:18 PM, Ned Deily wrote:
> In article<d07279e14b9bbb842bf97b8874f7d05b at ivanov-nest.com>,
>   Velko Ivanov<vivanov at ivanov-nest.com>  wrote:
>
>> I've always wandered why HTTPSConnection does not validate
>> certificates?
>>
>> It is fairly simple to use the SSL socket's validation:
> [...]
>
> Perhaps you can write up your example as a documentation patch to the
> http.client documentation page and submit it to the Python bug tracker
> (http://bugs.python.org/).

     We've been through this.  Too many times.

http://bugs.python.org/issue1114345
(2005: Broken in Python 2.2, eventually fixed)

http://www.justinsamuel.com/2008/12/25/the-importance-of-validating-ssl-certificates/
(2008: Why this matters)

http://www.mail-archive.com/python-list@python.org/msg281736.html
(2010: Broken in new Python 2.6 SSL module.)

http://bugs.python.org/issue1589
(2010: Developer "Bill Jansen" in denial, others disagree.
Currently being debated.  See bug tracker.)

The really stupid thing about the current SSL module is that it
accepts a file of root certificates as a parameter, but ignores it.
So it creates the illusion of security without providing it.
As someone pointed out, the current SSL module "lets you talk
encrypted to your attacker".

				John Nagle




More information about the Python-list mailing list