Somehow your mail didn't end up on Python-dev Am 08.11.2013 00:38, schrieb Nick Coghlan: > In that case, it sounds like you need *two* new options rather than > one. "verify_hostname", with the None/True/False behaviour and a > separate postverify hook.
Mmmh, yes, you are making an intriguing point. Two different options are easier to understand and more powerful. > It contains the word verify, but if I'm correct in thinking you > intend for the new callback to be invoked only if the checks > specified by verify_mode pass, then I would suggest "postverify", > and skip adding the separate method. The tests specified by verify_mode are done by OpenSSL during the protocol handshake. The SSLSocket object has no peer, peer cert and transport information before the hand shake is done. So yes, these checks are always done before Python can match the hostname of the peer's cert and before the postverify hook can run. OpenSSL has a verify callback hook that is called for each certificate in the trust chain starting with the peer cert up to a root cert. This callback is too low level and too complex to be useful for the majority of users. Python would also have to gain wrappers for X509_STORE and X509_STORE_CTX objects... You don't want to know the difference :) _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
