There's also the patch to httplib that Devin Cook has been working on for SSL enhancements, some of which do name checking. He's got most of a patch completed.
On Thu, Sep 10, 2009 at 3:01 PM, Bill Janssen <jans...@parc.com> wrote: > Heikki, I'm OK with this, too. would you like to propose an extended > API for the SSL module? That would give us a starting point to talk > about. > > This should probably be a PEP, just for the sake of writing things down. > > As you say, the hostname checking feature seems to me possibly > appropriate for some application protocols, though it's made the use of > HTTPS as a transport-level protocol unnecessarily confusing and buggy. > I don't see putting that into the SSL module as a default, but perhaps a > utility function in that module, to check a server-side cert against a > hostname, is a good idea. > > Bill > > > Heikki Toivonen <htoivo...@spikesource.com> wrote: > >> Bill Janssen wrote: >> > OK, seems reasonable. Thanks. In the near term, can you do this with >> > M2Crypto or PyOpenSSL? >> > >> > When I started this update in 2007, we were trying to keep the API >> > simple to avoid confusing people and avoid competition with the two >> > full-fledged toolkits out there. But I don't see any real reason not to >> > extend the API a bit. >> >> Speaking as the M2Crypto maintainer, I don't mind the stdlib competing >> with M2Crypto/getting better at SSL. In fact, I would actually like to >> see the stdlib SSL implementation getting good enough so that people >> would not need M2Crypto for SSL (except maybe in special circumstances). >> There is much M2Crypto does besides SSL so this wouldn't even obsolete it. >> >> One of the main things IMO missing from stdlib SSL implementation is >> hostname checking by default (with override option), but I know you and >> I have different opinions on this. I would be happy to provide patches >> against the stdlib SSL implementation for some things M2Crypto does that >> the stdlib SSL module is missing if we could agree on the >> features/design first. Simple is good, but I'd like the defaults to be >> secure and commonly overridden things to be overrideable. >> >> -- >> Heikki Toivonen >> >> _______________________________________________ >> Python-Dev mailing list >> Python-Dev@python.org >> http://mail.python.org/mailman/listinfo/python-dev >> Unsubscribe: >> http://mail.python.org/mailman/options/python-dev/janssen%40parc.com > > _______________________________________________ > Python-Dev mailing list > Python-Dev@python.org > http://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: > http://mail.python.org/mailman/options/python-dev/jnoller%40gmail.com > _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com