[issue28747] Expose SSL_CTX_set_cert_verify_callback

Change by David Peall : -- nosy: +David Peall ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue28747] Expose SSL_CTX_set_cert_verify_callback

Change by Chih-Hsuan Yen : -- nosy: -yan12125 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue28747] Expose SSL_CTX_set_cert_verify_callback

Marcelo Salhab Brogliato added the comment: Exposing SSL_CTX_set_cert_verify_callback is useful when we want to use a Public Key Authentication, like it is done in the SSH Protocol. Do you know any other way to use Public Key Authentication besides using SSL_CTX_set_cert_verify_callback?

[issue28747] Expose SSL_CTX_set_cert_verify_callback

Steve Dower added the comment: The change to make OpenSSL a separate DLL (on Windows, at least, which is all I really care about) means this function is available via ctypes. That's good enough for me, so I'll close this. -- resolution: -> out of date stage:

[issue28747] Expose SSL_CTX_set_cert_verify_callback

Changes by Chi Hsuan Yen : -- nosy: +Chi Hsuan Yen ___ Python tracker ___ ___

[issue28747] Expose SSL_CTX_set_cert_verify_callback

Changes by Ronald Oussoren : -- nosy: +ronaldoussoren ___ Python tracker ___ ___

[issue28747] Expose SSL_CTX_set_cert_verify_callback

Steve Dower added the comment: Any comment from the SSL experts? -- ___ Python tracker ___ ___

[issue28747] Expose SSL_CTX_set_cert_verify_callback

Ned Deily added the comment: >From a release manager perspective, I'm OK in principle with adding it to >3.6.1 as long as the ssl experts are OK with it. -- nosy: +alex, dstufft, janssen ___ Python tracker

[issue28747] Expose SSL_CTX_set_cert_verify_callback

Steve Dower added the comment: The current _3.patch builds on default without warning and the tests pass (_2.patch is the one Ned tried). Any objections to committing this into 3.7? What about 3.6.1? As an additive and easy to detect API, I think it's suitable, and I will certainly use it

[issue28747] Expose SSL_CTX_set_cert_verify_callback

Steve Dower added the comment: For the sake of review, I fixed the patch and rebased it on default. -- Added file: http://bugs.python.org/file45594/28747_3.patch ___ Python tracker

[issue28747] Expose SSL_CTX_set_cert_verify_callback

Steve Dower added the comment: Whoops, that's what I get for renaming something. Easily fixed, but I'm happy to aim for 3.7. -- ___ Python tracker ___

[issue28747] Expose SSL_CTX_set_cert_verify_callback

Ned Deily added the comment: We are two weeks from producing the release candidate for 3.6.0. I don't think we should be rushing to add a new security-critical API which, IIUC, won't be used in the initial release anyway. Let's target it for 3.7 after proper review and then we can decide

[issue28747] Expose SSL_CTX_set_cert_verify_callback

Ned Deily added the comment: And, as it stands, the tests fail (at least on macOS): == ERROR: test_set_cert_verify_callback (test.test_ssl.SimpleBackgroundTests)

[issue28747] Expose SSL_CTX_set_cert_verify_callback

Ned Deily added the comment: With the patch (_2), clang (and gcc 4.2) on macOS warn: ./Modules/_ssl.c:3968:7: warning: assigning to 'unsigned char *' from 'char *' converts between pointers to integer types with different sign [-Wpointer-sign] p = PyBytes_AS_STRING(enc_cert); ^

[issue28747] Expose SSL_CTX_set_cert_verify_callback

Steve Dower added the comment: Should have assigned this to me, as I expect I'll be the one to apply it. Christian - I need to look to you for whether I've exposed the right function here and it's not adding security risk (obviously excluding a broken callback implementation). I *think* it's

[issue28747] Expose SSL_CTX_set_cert_verify_callback

Steve Dower added the comment: > Basically you want to replace OpenSSL's X509 verification with Windows' cert > validation and just leave the handshake and encryption to OpenSSL? Yep. (See WinVerifyTrust for the Windows API I'm using.) -- ___

[issue28747] Expose SSL_CTX_set_cert_verify_callback

Christian Heimes added the comment: IMHO SSL CTX set cert verify callback() is the wrong approach. Your are completely bypassing cert validation checks of OpenSSL. The callback has to build the chain and perform all checks on its own. By all checks I literally mean *all*,

[issue28747] Expose SSL_CTX_set_cert_verify_callback

Steve Dower added the comment: Few patch updates - better tests and some docs. -- Added file: http://bugs.python.org/file45553/28747_2.patch ___ Python tracker

[issue28747] Expose SSL_CTX_set_cert_verify_callback

Steve Dower added the comment: When I was stepping through, this callback avoided all of those lookups, so I don't understand how it's being called too late? This approach basically takes the entire raw certificate and lets the OS do whatever it needs. OpenSSL doesn't ever have to crack it

[issue28747] Expose SSL_CTX_set_cert_verify_callback

Christian Heimes added the comment: Hi Steve, there is a better approach to fix issue20916. The verify callback is not the correct API, because it is called too late. We want to hook into the cert resolution mechanism of OpenSSL and get trust anchors and CRLs in before OpenSSL builds the

[issue28747] Expose SSL_CTX_set_cert_verify_callback

Steve Dower added the comment: Oh, I also made the SSL module chain exceptions properly. That's probably the biggest and scariest part of the change, but it can't have been overwriting exceptions before anyway (because it calls back into Python code to instantiate SSLError), so it's only

[issue28747] Expose SSL_CTX_set_cert_verify_callback

Steve Dower added the comment: Patch attached with code changes and basic tests. Doc changes to follow. -- keywords: +patch Added file: http://bugs.python.org/file45551/28747_1.patch ___ Python tracker

[issue28747] Expose SSL_CTX_set_cert_verify_callback

New submission from Steve Dower: As a prerequisite for fixing issues such as issue20916 (dynamic download/update of CAs and CRLs), we really need to be able to plug into the certificate verification function for OpenSSL. This patch adds SSLContext._set_cert_verify_callback, which will allow