subject:"\[issue17123\] Add OCSP support to ssl module"

[issue17123] Add OCSP support to ssl module

2019-10-16 Thread Daniel Kahn Gillmor

Daniel Kahn Gillmor  added the comment:

On Thu 2019-10-10 01:38:42 +, Benjamin Peterson wrote:

> Considering OSCP has fallen out of favor relative to CT in recent
> years, may be should simply reject this feature request.

CT provides the possibility of a website operator to *detect* CA
malfeasance.

OCSP provides a live "proof of freshness" of the certificate at a
cadence significantly shorter than the lifetime of most certificates
(even the 90-day certificates offered by ACME-driven CAs like Let's
Encrypt).

These are orthogonal, and mutually-reinforcing mechanisms, not competing
mechanisms.

  --dkg

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue17123] Add OCSP support to ssl module

2019-10-15 Thread Shane Harvey



Change by Shane Harvey :


--
nosy: +ShaneHarvey

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue17123] Add OCSP support to ssl module

2019-10-15 Thread Bernie Hackett



Bernie Hackett  added the comment:

OCSP is the only way Let's Encrypt supports revocation. It would be really 
useful to have stapling verification supported in the standard library, even 
just the callback support PyOpenSSL supports.

https://letsencrypt.org/docs/revoking/

--
nosy: +behackett

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue17123] Add OCSP support to ssl module

2019-10-09 Thread Benjamin Peterson



Benjamin Peterson  added the comment:

Considering OSCP has fallen out of favor relative to CT in recent years, may be 
should simply reject this feature request.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue17123] Add OCSP support to ssl module

2019-10-09 Thread Daniel Kahn Gillmor



Daniel Kahn Gillmor  added the comment:

It would be great to see at least minimal OCSP stapling support (in the form of 
callbacks on the client and server sides) availabl in the ssl module, similar 
to the way that pyopenssl has added such callbacks:

https://github.com/pyca/pyopenssl/pull/580

If that was present in the ssl module, then it would let other implementations 
supply reasonable callback functionality for fetching and relaying stapled OCSP 
responses (on the server side) and validating in-band OCSP responses (on the 
client side).

--
nosy: +dkg

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue17123] Add OCSP support to ssl module

2018-02-25 Thread Christian Heimes


Change by Christian Heimes :


--
versions: +Python 3.8 -Python 3.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue17123] Add OCSP support to ssl module

2016-09-15 Thread Christian Heimes


Changes by Christian Heimes :


--
assignee:  -> christian.heimes
components: +SSL

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue17123] Add OCSP support to ssl module

2016-09-08 Thread Christian Heimes


Christian Heimes added the comment:

I'll add OCSP stapling verification to 3.7.

--
versions: +Python 3.7 -Python 3.5

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue17123] Add OCSP support to ssl module

2015-04-17 Thread Arfrever Frehtes Taifersar Arahesis


Changes by Arfrever Frehtes Taifersar Arahesis :


--
nosy: +Arfrever

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue17123] Add OCSP support to ssl module

2013-12-21 Thread Antoine Pitrou


Changes by Antoine Pitrou :


--
type: security -> enhancement

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue17123] Add OCSP support to ssl module

2013-10-21 Thread Larry Hastings


Changes by Larry Hastings :


--
nosy:  -larry

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue17123] Add OCSP support to ssl module

2013-10-21 Thread Christian Heimes


Christian Heimes added the comment:

I won't have time for a proper implementation for 3.4. Defer to 3.5

--
versions: +Python 3.5 -Python 2.6, Python 2.7, Python 3.4

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue17123] Add OCSP support to ssl module

2013-04-28 Thread Georg Brandl


Changes by Georg Brandl :


--
versions:  -Python 3.2, Python 3.3

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue17123] Add OCSP support to ssl module

2013-04-19 Thread Phil Connell


Changes by Phil Connell :


--
nosy: +pconnell

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue17123] Add OCSP support to ssl module

2013-02-04 Thread Antoine Pitrou


Antoine Pitrou added the comment:

Christian, I really don't agree this should be a release blocker, and 
especially not for bugfix branches.

--
priority: release blocker -> normal

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue17123] Add OCSP support to ssl module

2013-02-04 Thread Jesús Cea Avión


Changes by Jesús Cea Avión :


--
nosy: +jcea

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue17123] Add OCSP support to ssl module

2013-02-04 Thread Christian Heimes


Christian Heimes added the comment:

OCSP can prevent MITM attacks when the private server cert or CA cert got 
compromised or stolen somehow.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue17123] Add OCSP support to ssl module

2013-02-04 Thread Christian Heimes


Changes by Christian Heimes :


--
nosy: +barry, benjamin.peterson, georg.brandl, larry
priority: high -> release blocker

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue17123] Add OCSP support to ssl module

2013-02-04 Thread Antoine Pitrou


Antoine Pitrou added the comment:

Can you explain how OCSP helps prevent MITM attacks?

- Mail original -
> De: "Christian Heimes" 
> À: pit...@free.fr
> Envoyé: Lundi 4 Février 2013 17:14:32
> Objet: [issue17123] Add OCSP support to ssl module
> 
> 
> New submission from Christian Heimes:
> 
> Python's ssl module doesn't support OCSP [1]. The example code at [2]
> doesn't look too complicated. We should consider OCSP at least for
> 3.4 and may want to backport it to older versions to prevent MITM
> attacks on PyPI downloads.

--

___
Python tracker 
<http://bugs.python.org/issue17123>
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue17123] Add OCSP support to ssl module

2013-02-04 Thread Christian Heimes


New submission from Christian Heimes:

Python's ssl module doesn't support OCSP [1]. The example code at [2] doesn't 
look too complicated. We should consider OCSP at least for 3.4 and may want to 
backport it to older versions to prevent MITM attacks on PyPI downloads.


[1]http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol)
[2] 
http://etutorials.org/Programming/secure+programming/Chapter+10.+Public+Key+Infrastructure/10.12+Checking+Revocation+Status+via+OCSP+with+OpenSSL/

--
components: Extension Modules
messages: 181341
nosy: christian.heimes, pitrou
priority: high
severity: normal
stage: needs patch
status: open
title: Add OCSP support to ssl module
type: security
versions: Python 2.6, Python 2.7, Python 3.2, Python 3.3, Python 3.4

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue17123] Add OCSP support to ssl module

[issue17123] Add OCSP support to ssl module

[issue17123] Add OCSP support to ssl module

[issue17123] Add OCSP support to ssl module

[issue17123] Add OCSP support to ssl module

[issue17123] Add OCSP support to ssl module

[issue17123] Add OCSP support to ssl module

[issue17123] Add OCSP support to ssl module

[issue17123] Add OCSP support to ssl module

[issue17123] Add OCSP support to ssl module

[issue17123] Add OCSP support to ssl module

[issue17123] Add OCSP support to ssl module

[issue17123] Add OCSP support to ssl module

[issue17123] Add OCSP support to ssl module

[issue17123] Add OCSP support to ssl module

[issue17123] Add OCSP support to ssl module

[issue17123] Add OCSP support to ssl module

[issue17123] Add OCSP support to ssl module

[issue17123] Add OCSP support to ssl module

[issue17123] Add OCSP support to ssl module

20 matches

Site Navigation

Mail list logo

Footer information