Devin Cook <devin.c.c...@gmail.com> wrote: > Also, I have looked through the docs and code, but haven't been able to > figure out exactly what is included in certificate "validation". Is it just > validating the chain? Does it check the NotBefore and NotAfter dates?
I believe so, but you'll have to check the OpenSSL code. > Does it check that the host the socket is connected to is the same as > what's given in the CN field in the certificate? No. That, in general, doesn't work very well. The IETF working group on this is considering deprecating putting a hostname in the CN field at all, and just adding hostnames via the subjectAltName extension. The problem that's come up is that many computers don't have fixed IP addresses, and even with that the hostname is part of a different mapping of hostnames to IP addresses, which can also vary. I think that when the https: protocol scheme was written, it seemed like a good idea, but conventions on the Internet have changed a lot since then. > Where I'm going with this is I think all this checking needs to be part of > certificate validation in the ssl module. I don't think so. I put in hooks to let you do this in user code if you need to. See the archives for more discussion on this -- I'm not going to rehash it again. (This is really a question for OpenSSL mailing lists, or perhaps python-list.) Bill _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
