Joshua Kramer wrote:
Rafael,
I just checked in basic support for SSL today. It runs through the
python test suite (over SSL) with no problems. I haven't tried client
auth or anything like that yet though.
When you say that you haven't tried client auth - by 'client auth' do
you mean verifying the certificate of the peer?
If I am not mistaken, you are using the socket.ssl function (as imported
by qpid/util.py) to initiate the SSL communications over the socket. I
note from the Python docs (at least for 2.5.2) that this function does
not do any certificate verification.
I noticed this as well.
Would it be appropriate for me to investigate use of the Python ssl
class, which offers more options in regards to certificate validation?
The caveat here is that it depends on OpenSSL, which may or may not be
present on a given Python installation... and it *appears* to be limited
to Python 2.6, which is a big drawback. And it won't help me, since my
use of Python qpid will be inside OpenOffice.org, which is 99 Python
revisions behind the current.
It would be fine. I don't use python 2.6 either, so I would just request
that whatever you try will degrade gracefully on older versions of python.
I will, however, test that the broker correctly refuses a connection
from the Python SSL client that does not provide the correct cert.
Great.
--Rafael
