Certificate validation with HTTPSConnection
John Nagle
nagle at animats.com
Wed Sep 29 23:41:00 EDT 2010
On 9/29/2010 3:51 PM, Antoine Pitrou wrote:
> On Wed, 29 Sep 2010 13:41:15 -0700
> John Nagle<nagle at animats.com> wrote:
>>
>> The really stupid thing about the current SSL module is that it
>> accepts a file of root certificates as a parameter, but ignores it.
>
> That's not true. You have to pass CERT_OPTIONAL or CERT_REQUIRED as a
> parameter (CERT_NONE is though).
If you pass CERT_REQUIRED and a root certificate authority file,
there has to be some certificate, but the signature chain is
not validated against the CA file, so the cert doesn't certify
anything. Phony web sites look valid to Python's SSL library.
John Nagle
More information about the Python-list
mailing list