[issue8813] SSLContext doesn't support loading a CRL
Christian Heimes added the comment: Yes, Python 3.4 can load and use CRLs. -- status: open - closed ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8813 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue8813] SSLContext doesn't support loading a CRL
STINNER Victor added the comment: Yes, Python 3.4 can load and use CRLs. Great work Christian, I was expecting this feature since many years :-) -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8813 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue8813] SSLContext doesn't support loading a CRL
Christian Heimes added the comment: It was *really* trivial. I just had to expose two simple OpenSSL APIs to enable / disable CRL. All versions of Python could already load the CRLs but CRL checks could not be enabled. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8813 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue8813] SSLContext doesn't support loading a CRL
STINNER Victor added the comment: It was *really* trivial. I just had to expose two simple OpenSSL APIs to enable / disable CRL. It was trivial thanks to all the work done before around SSLContext. For example, Python 2.7 doesn't have SSLContext, so adding support for CRL in Python 2.7 is non-trivial :-/ -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8813 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue8813] SSLContext doesn't support loading a CRL
STINNER Victor added the comment: What is the status of this issue? Is it fixed or not? The What's New in Python 3.4 document says that Python 3.4 can load CRL. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8813 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue8813] SSLContext doesn't support loading a CRL
Roundup Robot added the comment: New changeset 1508c4c9e747 by R David Murray in branch 'default': whatsnew: SSLContext.verify_flags and constants. (#8813) http://hg.python.org/cpython/rev/1508c4c9e747 -- status: pending - open ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8813 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue8813] SSLContext doesn't support loading a CRL
Roundup Robot added the comment: New changeset 40d4be2b7258 by Christian Heimes in branch 'default': Issue #8813: X509_VERIFY_PARAM is only available on OpenSSL 0.9.8+ http://hg.python.org/cpython/rev/40d4be2b7258 -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8813 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue8813] SSLContext doesn't support loading a CRL
Christian Heimes added the comment: The _ssl module compiles again with OpenSSL 0.9.7. -- priority: release blocker - normal resolution: - fixed status: open - pending ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8813 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue8813] SSLContext doesn't support loading a CRL
Ned Deily added the comment: This change seems to have broken the OS X 10.4 Tiger buildbot: _ssl.c:2240: error: 'struct x509_store_st' has no member named 'param' _ssl.c:2253: error: 'struct x509_store_st' has no member named 'param' _ssl.c:2257: error: 'struct x509_store_st' has no member named 'param' _ssl.c:2263: error: 'struct x509_store_st' has no member named 'param' http://buildbot.python.org/all/builders/x86%20Tiger%203.x/builds/7370 -- nosy: +ned.deily resolution: fixed - status: pending - open ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8813 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue8813] SSLContext doesn't support loading a CRL
Christian Heimes added the comment: :( I seriously need access to a Darwin or OSX box. This is the second time I broke the build on OSX. Ned Deily rep...@bugs.python.org schrieb: Ned Deily added the comment: This change seems to have broken the OS X 10.4 Tiger buildbot: _ssl.c:2240: error: 'struct x509_store_st' has no member named 'param' _ssl.c:2253: error: 'struct x509_store_st' has no member named 'param' _ssl.c:2257: error: 'struct x509_store_st' has no member named 'param' _ssl.c:2263: error: 'struct x509_store_st' has no member named 'param' http://buildbot.python.org/all/builders/x86%20Tiger%203.x/builds/7370 -- nosy: +ned.deily resolution: fixed - status: pending - open ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8813 ___ -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8813 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue8813] SSLContext doesn't support loading a CRL
Ned Deily added the comment: 10.4 is *very* old: $ /usr/bin/openssl version OpenSSL 0.9.7l 28 Sep 2006 If you kept around that version of the headers and libs, you'd probably catch most of the problems. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8813 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue8813] SSLContext doesn't support loading a CRL
Ned Deily added the comment: This problem also breaks the 32-bit OS X installer build. -- nosy: +larry priority: normal - release blocker ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8813 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue8813] SSLContext doesn't support loading a CRL
Antoine Pitrou added the comment: s/FLAGS_/VERIFY_/g ? OK, I don't have hard feelings. :) And VERIFY_NONE should be VERIFY_CRL_NONE IMO. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8813 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue8813] SSLContext doesn't support loading a CRL
Christian Heimes added the comment: But it's not about CRL alone. How about VERIFY_DEFAULT = 0 ? -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8813 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue8813] SSLContext doesn't support loading a CRL
Antoine Pitrou added the comment: But it's not about CRL alone. How about VERIFY_DEFAULT = 0 ? Sounds good. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8813 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue8813] SSLContext doesn't support loading a CRL
Roundup Robot added the comment: New changeset 83805c9d1f05 by Christian Heimes in branch 'default': Issue #8813: Add SSLContext.verify_flags to change the verification flags http://hg.python.org/cpython/rev/83805c9d1f05 -- nosy: +python-dev ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8813 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue8813] SSLContext doesn't support loading a CRL
Christian Heimes added the comment: memo to me: add whatsnew entry -- assignee: - christian.heimes resolution: - fixed stage: patch review - committed/rejected status: open - pending ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8813 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue8813] SSLContext doesn't support loading a CRL
Christian Heimes added the comment: s/FLAGS_/VERIFY_/g ? OK, I don't have hard feelings. :) -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8813 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue8813] SSLContext doesn't support loading a CRL
Christian Heimes added the comment: The new patch addresses your review. I have altered the new to FLAGS_NONE, FLAGS_CLR_CHECK_LEAF etc. -- Added file: http://bugs.python.org/file32760/verify_flags_crl2.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8813 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue8813] SSLContext doesn't support loading a CRL
Christian Heimes added the comment: My patch is inspired by mod_ssl: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?view=markup#l697 CRLs can already be loaded with SSLContext.load_verify_locations(). The patch exposes the verification flags of SSLContext's X509_STORE. With X509_V_FLAG_CRL_CHECK OpenSSL requires (!) a CRL that matches the issuer of leaf certificate of the chain (the peer's cert). X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL also requires CRLs for all intermediate certs of the peer's cert chain. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8813 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue8813] SSLContext doesn't support loading a CRL
Antoine Pitrou added the comment: It *is* generic. The flags are not about CRL alone, That's why I proposed VERIFY_xxx, e.g. VERIFY_CRL_NONE. Calling some flags FLAGS is senseless, it's like calling an integer INTEGER. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8813 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue8813] SSLContext doesn't support loading a CRL
Antoine Pitrou added the comment: That sounds too generic. How about VERIFY_CRL_NONE, etc. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8813 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue8813] SSLContext doesn't support loading a CRL
Christian Heimes added the comment: It *is* generic. The flags are not about CRL alone, http://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_flags.html#VERIFICATION_FLAGS -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8813 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue8813] SSLContext doesn't support loading a CRL
Christian Heimes added the comment: The patch implements SSLContext.verify_flags in order to enable CRL checks. It comes with documentation, a unit test and a new CRL file. -- keywords: +patch stage: needs patch - patch review Added file: http://bugs.python.org/file32744/verify_flags_crl.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8813 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue8813] SSLContext doesn't support loading a CRL
Christian Heimes added the comment: Yes, you are right. OpenSSL uses the same API to load certs and CRLs. CRL checks must be enabled, though. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8813 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue8813] SSLContext doesn't support loading a CRL
Changes by Donald Stufft donald.stu...@gmail.com: -- nosy: +dstufft ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8813 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue8813] SSLContext doesn't support loading a CRL
Changes by Christian Heimes li...@cheimes.de: -- components: +Extension Modules nosy: +christian.heimes versions: +Python 3.4 -Python 3.3 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8813 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue8813] SSLContext doesn't support loading a CRL
Changes by David Andrzejewski site+python@davidandrzejewski.com: -- nosy: +dandrzejewski ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8813 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue8813] SSLContext doesn't support loading a CRL
Antoine Pitrou pit...@free.fr added the comment: Is it enough to just load a CRL file, or is other functionality usually needed? The following APIs should help us do it: - X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx); - int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x); - X509_CRL *d2i_X509_CRL_fp(FILE *fp,X509_CRL **crl); And also for configuration (enable CRL checking on the context): - X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx); - int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags); -- stage: - needs patch versions: +Python 3.3 -Python 3.2 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8813 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue8813] SSLContext doesn't support loading a CRL
New submission from STINNER Victor victor.stin...@haypocalc.com: SSL Context should support loading a CRL. See M2Crypto patches: https://bugzilla.osafoundation.org/show_bug.cgi?id=12954 https://bugzilla.osafoundation.org/show_bug.cgi?id=11694 Or PyOpenSSL branch supporting CRL: https://launchpad.net/~rick-fdd/pyopenssl/crl_and_revoked -- components: Library (Lib) messages: 106393 nosy: haypo priority: normal severity: normal status: open title: SSLContext doesn't support loading a CRL versions: Python 3.2 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8813 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue8813] SSLContext doesn't support loading a CRL
Changes by STINNER Victor victor.stin...@haypocalc.com: -- nosy: +pitrou ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8813 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue8813] SSLContext doesn't support loading a CRL
Changes by Antoine Pitrou pit...@free.fr: -- type: - feature request ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8813 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue8813] SSLContext doesn't support loading a CRL
Changes by Giampaolo Rodola' g.rod...@gmail.com: -- nosy: +giampaolo.rodola ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8813 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com