[Python-Dev] SSL Certificate Validation
Hi all, I have a few questions about validating SSL certificates. From what I gather, this validation occurs in the OpenSSL code called from _ssl.c. Is this correct? Also, I have looked through the docs and code, but haven't been able to figure out exactly what is included in certificate "validation". Is it just validating the chain? Does it check the NotBefore and NotAfter dates? Does it check that the host the socket is connected to is the same as what's given in the CN field in the certificate? Where I'm going with this is I think all this checking needs to be part of certificate validation in the ssl module. If it isn't yet, I'd be happy to work on a patch for it. Please let me know what you think. Thanks! -Devin Cook ___ Python-Dev mailing list [email protected] http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] SSL Certificate Validation
> But I really do believe that this is what he need to do next: > familiarize himself with OpenSSL. There is a lot of APIs in that > library, and it takes a while (i.e.: several months) to get > productive, in particular since OpenSSL doesn't have the most > intuitive API. Well, I realized this as soon as I looked at the _ssl.c code... I was just hoping that someone would be able to give me a quick clarification on exactly what gets validated. If it's just the chain (which is what I suspect), I would like to submit a patch that does the rest of the validation (that a browser typically does: CN/hostname, NotBefore, NotAfter, etc.) in the ssl module. I was also hoping to find out what the consensus is about this: mainly, *should* that verification be done in the ssl module? Maybe this verification should somehow be done in OpenSSL, which would mean that I need to do a LOT more reading and go pester their mailing list instead. This is for issue 6273 ( http://bugs.python.org/issue6273 ). In your reply to that issue, it seemed to me like you were saying that these things were not getting checked in the ssl module (and, therefore, not in OpenSSL either): > I find the patch incomplete, for formal and semantical reasons: > a) it doesn't come with documentation or test suite changes, and > b) it doesn't implement the typical certificate checks that browsers >do, beyond validating that the certificate is valid - e.g. also >validating that the certificate is issued to the host you are trying >to connect to. I would like to do validation of server certificates in a project I'm working on, and I figured it would be better to be proactive and try to help create a patch than to just sit back and complain about it. It seems to me that this is a bug that you can't do peer certificate validation in httplib. If this isn't the place to ask these kinds of questions, I apologise. I can take the discussion elsewhere if I need to. Thanks, -Devin ___ Python-Dev mailing list [email protected] http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] SSL Certificate Validation
Ok, thanks for all the feedback. Just for clarity, I'll summarize everything as I understand it: * OpenSSL does the all validation of the certificate itself. (http://openssl.org/docs/apps/verify.html) * httplib should have a way to enable validation of the certificate. * httplib should have a way to enable checking of the reference identity. (that complies with section 3 of this draft: http://tools.ietf.org/html/draft-saintandre-tls-server-id-check-00) * The reference identity checking (and cert validation, I assume) shouldn't be automatic. (per Bill) Does that sound about right? I'll try to work up a patch tonight implementing this. -Devin ___ Python-Dev mailing list [email protected] http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Implementing File Modes
Hmm... can't you do this?
if encryptionEnabled:
p = subprocess.Popen(["gpg", "--decrypt", "supersecret.html.gpg"],
stdin = subprocess.PIPE)
fileobj = p.stdin
else:
fileobj = open("notsosecret.html")
I think that works. Is there something this way won't work for? You
can also do the same thing to get stdout and stderr file objects. I
guess a wrapper would simplify this process.
-Devin
On Wed, Jul 29, 2009 at 7:41 PM, Eric Pruitt wrote:
> My motivation came from an instance when I was using subprocess.Popen for a
> Linux / Windows cross platform program. In part of the program, I was
> writing and reading to a cron like object. On Windows, it was a text file
> and on Linux it would be the crontab executable. Had I been able to
> substitute the "open()" function with my wrapper, it would have been the
> only change I had to make for cross platform compatibility; instead of
> having to change numerous lines because Linux would need Popen and Windows
> would need a regular file open(), I could simply make it so that if the
> platform was Linux, my wrapper is used in place of that. Just another
> example would be having an external program decrypt a file that can be in
> plain text or encrypted that might go something like this:
>
> if encryptionEnabled:
> fileobj = subprocess.ProcessIOWrapper("gpg --decrypt
> supersecret.html.gpg")
> else:
> fileobj = open("notsosecret.html")
>
___
Python-Dev mailing list
[email protected]
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] evolving the SSL module API
Yes, my patch implements hostname checking in httplib (although I haven't had time to do much testing). I also made the documentation changes, but have not yet created any test cases since there really aren't any HTTPS test cases in the test_httplib.py file (which is probably another issue that needs attention). We had talked a month or two back about including hostname checking in the ssl module, but the consensus seemed to be that it doesn't belong there. Personally, I would like to see it make it into the ssl module, as that would mean all the modules that use the ssl module (httplib, etc.) wouldn't have to write their own (and it isn't very straightforward... lots of different RFCs involved). Just my 2 cents. -Devin On Thu, Sep 10, 2009 at 3:17 PM, Jesse Noller wrote: > There's also the patch to httplib that Devin Cook has been working on > for SSL enhancements, some of which do name checking. He's got most of > a patch completed. > > On Thu, Sep 10, 2009 at 3:01 PM, Bill Janssen wrote: >> Heikki, I'm OK with this, too. would you like to propose an extended >> API for the SSL module? That would give us a starting point to talk >> about. >> >> This should probably be a PEP, just for the sake of writing things down. >> >> As you say, the hostname checking feature seems to me possibly >> appropriate for some application protocols, though it's made the use of >> HTTPS as a transport-level protocol unnecessarily confusing and buggy. >> I don't see putting that into the SSL module as a default, but perhaps a >> utility function in that module, to check a server-side cert against a >> hostname, is a good idea. >> >> Bill >> >> ___ Python-Dev mailing list [email protected] http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Rework nntlib?
On Wed, Sep 15, 2010 at 11:37 AM, Jesse Noller wrote: > You need people with the time and willingness to download, install and > run production code on the releases. This might be getting off-topic, but maybe not as many people as you think. How many projects in pypi provide unittests? That's at least more tests to add to the ones already being run in the stdlib. -Devin ___ Python-Dev mailing list [email protected] http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Python-3 transition in Arch Linux
On Thu, Nov 4, 2010 at 7:19 PM, Allan McRae wrote: > I also agree with the "NO ARCH" topic at the moment. I was fairly surprised > so many people went to #python for help given we had made news posts and had > a topic in our IRC channel pointing to how to start fixing issues. > > Allan I don't remember seeing any warning about it during the upgrade. That may have helped people (ones that read the warnings, at least) figure out what was going on. I think a warning from /usr/bin/python may have helped as well, but I do suppose might be a bit extreme. FWIW, I found those news posts and the Python wiki page pretty quickly after I realized my scripts weren't working anymore. -Devin ___ Python-Dev mailing list [email protected] http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
