On Monday, February 4, 2013 at 11:15 AM, Giovanni Bajo wrote:
> Il giorno 04/feb/2013, alle ore 17:04, "Antoine Pitrou" <[email protected] > (mailto:[email protected])> ha scritto: > > > > > Hi, > > > > > Il giorno 04/feb/2013, alle ore 16:02, Laurens Van Houtven <[email protected] > > > (mailto:[email protected])> ha > > > scritto: > > > > > > > On Mon, Feb 4, 2013 at 3:51 PM, Giovanni Bajo <[email protected] > > > > (mailto:[email protected])> wrote: > > > > > > > > > > > > > > > (That reminds me; does the stdlib still ignore OCSP?) > > > > > > > > > > TBH, it's worse than that; it doesn't even check SSL certificates by > > > > > default. The default is to ignore any certificate sent by the server > > > > > and get on with the connection. > > > > > > > > > > > > > > > > Right, but IIUC you can at least convince it to do verify certs by > > > > setting the appropriate flag; > > > > > > > > > > > > Something like that; it's missing an (auto-updating) CA bundle or a way to > > > read the operating system's one, and a function that matches the server > > > name with either CN and SAN fields with the correct wildcard rules (this > > > was added in Python 3.2). > > > > > > > > SSLContext is your friend: > > http://docs.python.org/3.3/library/ssl.html#ssl.SSLContext.set_default_verify_paths > > > > Thanks for the pointer, but that's 3.2+ only. We need a working solution for > all versions supported by pip, if we treat is as a security bug (I think we > should). I concur very strongly. Since this issue has come out I've had more and more proof of concepts/issues brought to my attention in this arena. I'm working on collecting notes and other items to move forward with in a single document. As needed I will be working on having the PSF fund needed areas. jesse _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
