Antoine Pitrou added the comment:
I'm gonna close this entry, since there's no actual issue to fix in Python.
--
resolution: - invalid
status: open - closed
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13647
Changes by Christian Heimes li...@cheimes.de:
--
nosy: +christian.heimes
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13647
___
___
Changes by Barry A. Warsaw ba...@python.org:
--
nosy: +barry
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13647
___
___
Python-bugs-list mailing
Changes by Arfrever Frehtes Taifersar Arahesis arfrever@gmail.com:
--
nosy: +Arfrever
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13647
___
Changes by Florian Weimer fwei...@redhat.com:
--
nosy: +fweimer
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13647
___
___
Python-bugs-list
Dan Kaminsky d...@doxpara.com added the comment:
There is a new match_hostname that doesn't implement all the
required, standard SSL/TLS Client security checks that should be done.
Indeed, as the name indicates, it just checks the hostname.
Please detail what the other security checks are
Antoine Pitrou pit...@free.fr added the comment:
You need to check expiration date of the cert in question, and I
suppose invocation date as well.
You need to look at each of the CNs in the subject name, as well as
each of the DNSname types in the SAN extension.
You *absolutely must* make
Dan Kaminsky d...@doxpara.com added the comment:
On Fri, Dec 23, 2011 at 4:14 AM, Antoine Pitrou rep...@bugs.python.orgwrote:
Antoine Pitrou pit...@free.fr added the comment:
You need to check expiration date of the cert in question, and I
suppose invocation date as well.
You need to
naif n...@globaleaks.org added the comment:
Hi all,
i added a ticket on setting up a default CA-store for Python, eliminating the
need of CA-Store mainteinance:
http://bugs.python.org/issue13655
This feature is a pre-requisite to implement by default SSL/TLS Client secure
certificate
Antoine Pitrou pit...@free.fr added the comment:
Be sure to support SAN. People forget that, and the API makes it a pain in
the butt (the validator doesn't even know who you're validating for).
Right, that's why we added the match_hostname() function. It knows about
subjectAltName, except
naif n...@globaleaks.org added the comment:
looking at OpenSSL command line, there is the verify that does a lot of
checks on it's own:
http://www.openssl.org/docs/apps/verify.html
Dan, do you think that this apps does all the best practice verificati or
it's missing something?
Antoine,
Antoine Pitrou pit...@free.fr added the comment:
Antoine, in case it's useful, do you think that it would be possible
to have something exactly-like the OpenSSL verify command?
Well, to quote the page you mentioned:
“The verify program uses the same functions as the internal SSL and
S/MIME
Changes by Jesús Cea Avión j...@jcea.es:
--
nosy: +jcea
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13647
___
___
Python-bugs-list mailing list
New submission from naif n...@globaleaks.org:
It has been noticed by the well known security researcher Dan Kaminsky (
http://dankaminsky.com/) that Python SSL binding doesn't securely validate a
digital certificate while used.
There is a new
Antoine Pitrou pit...@free.fr added the comment:
There is a new match_hostname that doesn't implement all the
required, standard SSL/TLS Client security checks that should be done.
Indeed, as the name indicates, it just checks the hostname.
Please detail what the other security checks are
15 matches
Mail list logo