Certificate validation with HTTPSConnection

Ned Deily nad at acm.org
Thu Sep 30 00:24:01 CEST 2010


In article <4CA3A46B.4080006 at animats.com>,
 John Nagle <nagle at animats.com> wrote:
>      We've been through this.  Too many times.
> 
> http://bugs.python.org/issue1114345
> (2005: Broken in Python 2.2, eventually fixed)
> 
> http://www.justinsamuel.com/2008/12/25/the-importance-of-validating-ssl-certif
> icates/
> (2008: Why this matters)
> 
> http://www.mail-archive.com/python-list@python.org/msg281736.html
> (2010: Broken in new Python 2.6 SSL module.)
> 
> http://bugs.python.org/issue1589
> (2010: Developer "Bill Jansen" in denial, others disagree.
> Currently being debated.  See bug tracker.)
> 
> The really stupid thing about the current SSL module is that it
> accepts a file of root certificates as a parameter, but ignores it.
> So it creates the illusion of security without providing it.
> As someone pointed out, the current SSL module "lets you talk
> encrypted to your attacker".

I'll just note in passing that Issue1589 is being discussed again.  Feel 
free to contribute.

-- 
 Ned Deily,
 nad at acm.org




More information about the Python-list mailing list