Patches item #1114345, was opened at 2005-02-01 23:04 Message generated for change (Comment added) made by gustavo You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=305470&aid=1114345&group_id=5470
Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Modules Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: James Eagan (noonian) Assigned to: Nobody/Anonymous (nobody) Summary: Add SSL certificate validation Initial Comment: One line summary: adds certificate validation to the SSL module and programmer-level hooks to control how and whether certificate validation is performed. Details: The current SSL implementation in python goes through the motions of negotiating an SSL connection, but never validates the certificates exchanged. This is like going through the motions of checking someone's photo id, but never making sure the picture matches the person you're talking to. This patch fixes that. This patch adds 3 module-level variables to the socket module, which get exposed iff ssl is built in. These variables (ssl_ca_file, ssl_ca_path, and ssl_verify_level) provide programmer-level access to the certificate authorities database and to control what level of certificate verification is performed (by default, none, as is the current behavior). If certificate verification is enabled, then one of the two certificate authority parameters must be set to a valid certificate authority database or all certificate verification operations will fail. I have an example certificate authority database (extracted from the Java keystore) that I can provide, but I'm not sure how to contribute that through the patch mechanism. Cheers! James Eagan ---------------------------------------------------------------------- Comment By: Gustavo J. A. M. Carneiro (gustavo) Date: 2006-11-09 15:20 Message: Logged In: YES user_id=908 > This patch adds 3 module-level variables to the socket module, which get exposed iff ssl is built in. These variables (ssl_ca_file, ssl_ca_path, and ssl_verify_level) provide programmer-level access to the certificate authorities database and to control what level of certificate verification is performed (by default, none, as is the current behavior). Are you sure it's a good idea to have this kind of 'global' control over certification authorities? Global configurations are handy at first, but they come back and bite us when we least expect it... ---------------------------------------------------------------------- Comment By: James Eagan (noonian) Date: 2006-11-09 14:43 Message: Logged In: YES user_id=31389 Nagle: I haven't heard anything from anyone besides you and jbowes abou this patch here or on the python-dev list, and I haven't had time to follow up. You might have more success via the email list. (Or, if any of the python maintainers is reading this, do you have any suggestions to make this patch more attractive?) ---------------------------------------------------------------------- Comment By: John Nagle (nagle) Date: 2006-11-09 04:14 Message: Logged In: YES user_id=5571 What's the status of this? Is it going in? I have a need for it. Thanks. ---------------------------------------------------------------------- Comment By: James Bowes (jbowes) Date: 2006-06-21 20:43 Message: Logged In: YES user_id=1543815 I put together an updated version of this patch against svn trunk as of June 21, 2006. I also added some additional documentation to the .tex file. Maybe someone with sufficient privilidges (or James, if you're still out there) could attach the updated patch here? the updated patch is at: http://www.dangerouslyinc.com/~bowes/ssl_ca.diff Regards, James Bowes ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=305470&aid=1114345&group_id=5470 _______________________________________________ Patches mailing list Patches@python.org http://mail.python.org/mailman/listinfo/patches
