On 31.08.2016 10:50, Christian Heimes wrote: > On 2016-08-31 10:31, M.-A. Lemburg wrote: >> In all this discussion I have yet to find a compelling security >> relevant argument for using an 1.0.2 API which is so important >> that we cannot make this optional at runtime. >> >> The only argument Christian reported was this one: >> >> """ >>> BTW: Are there any features in 1.0.2 that we need and would warrant >>> dropping support for 1.0.1 earlier than Ubuntu 14.04 LTS ? >> >> Yes, there are features I want to use, e.g. proper hostname >> verification. Python's post-handshake verification is a hack and leads >> to information disclosure. >> """ >> >> Regarding that argument: hostname validation can be done >> in 1.0.1 by providing a verification hook handler. That's >> intended and by design, not a hack. 1.0.2 comes with >> support for hostname validation making this a little easier >> (you still have to set this up, though). > > Are you willing to do implement and maintain this callback? Are you > willing to do all work?
Maintain: yes, if needed. It is already implemented, so that part isn't hard :-) > Are you aware how many security bugs we had in our own verification > code? I'm aware of at least two critical bugs. Not that many, given that the host name validation is more a best practices art rather than one where all participants implement the standards: http://bugs.python.org/issue?%40columns=id%2Cactivity%2Ctitle%2Ccreator%2Cassignee%2Cstatus%2Ctype&%40sort=-activity&%40filter=status&%40action=searchid&ignore=file%3Acontent&%40search_text=match_hostname&submit=search&status=-1%2C1%2C2%2C3 The only critical bug I could find was this one (NUL bytes in subjectAltName): http://bugs.python.org/issue18709 but as I understand, the true origin of the bug was an OpenSSL function, not the host name matching code in Python. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Experts (#1, Aug 31 2016) >>> Python Projects, Coaching and Consulting ... http://www.egenix.com/ >>> Python Database Interfaces ... http://products.egenix.com/ >>> Plone/Zope Database Interfaces ... http://zope.egenix.com/ ________________________________________________________________________ ::: We implement business ideas - efficiently in both time and costs ::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ http://www.malemburg.com/ _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
