Patches item #810754, was opened at 2003-09-22 18:30 Message generated for change (Comment added) made by nagle You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=305470&aid=810754&group_id=5470
Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Modules Group: Python 2.2.x Status: Closed Resolution: Rejected Priority: 5 Private: No Submitted By: Damjan Georgievski (gdamjan) Assigned to: Martin v. Löwis (loewis) Summary: socket.ssl should check certificates Initial Comment: I've decided to post here the patch proposed by Ed Phillips, since I think it's simple addition to the socket.ssl that will drastically increase its usefullness... The point of the patch is for a socket.ssl object to check the certificate received by the peer. http://mail.python.org/pipermail/python-list/2003-July/174933.html ---------------------------------------------------------------------- Comment By: John Nagle (nagle) Date: 2006-11-30 20:18 Message: Logged In: YES user_id=5571 Originator: NO Same bug, with different patch, is at: [ 1114345 ] Add SSL certificate validation ---------------------------------------------------------------------- Comment By: John Nagle (nagle) Date: 2006-11-30 20:10 Message: Logged In: YES user_id=5571 Originator: NO This should be reopened. Just because the proposed fix didn't work is no reason to close the defect report. Currently, Python will accept the following totally bogus certificate (from www.amaison.co.uk) as valid: C = -- ST = SomeState L = SomeCity O = SomeOrganization OU = SomeOrganizationalUnit CN = localhost.localdomain emailAddress = [EMAIL PROTECTED] Issuer identity: C = -- ST = SomeState L = SomeCity O = SomeOrganization OU = SomeOrganizationalUnit CN = localhost.localdomain emailAddress = [EMAIL PROTECTED] ---------------------------------------------------------------------- Comment By: Martin v. Löwis (loewis) Date: 2003-10-26 16:47 Message: Logged In: YES user_id=21627 I think you are mis-interpreting the purpose of the key_file and cert_file arguments. They do *not* indicate the certificate of the trusted CAs, but provide the key and certificate of the *client*. By re-interpreting the cert_file as the file of the trusted CAs, you break client-side authentication. Therefore, i reject this patch. That said, I do agree that checking server-side certificates is a useful think, so I encourage you to provide a new patch which does that, e.g. by adding a certificate_chain_file argument (or some such). ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=305470&aid=810754&group_id=5470 _______________________________________________ Patches mailing list Patches@python.org http://mail.python.org/mailman/listinfo/patches
