[issue28182] Expose OpenSSL verification results in SSLError

2017-09-08 Thread Christian Heimes
Christian Heimes added the comment: New changeset 0915360b9ef765bf84d4471a8a079f48c49bad68 by Christian Heimes in branch 'master': bpo-28182: restore backwards compatibility (#3464) https://github.com/python/cpython/commit/0915360b9ef765bf84d4471a8a079f48c49bad68 -- _

[issue28182] Expose OpenSSL verification results in SSLError

2017-09-08 Thread Christian Heimes
Changes by Christian Heimes : -- pull_requests: +3456 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://

[issue28182] Expose OpenSSL verification results in SSLError

2017-09-08 Thread Christian Heimes
Christian Heimes added the comment: The ssl module now reports cause of validation failure: >>> import ssl >>> import ssl, socket >>> ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) >>> sock = ctx.wrap_socket(socket.socket(), server_hostname='www.python.org') >>> sock.connect(('www.python.org', 44

[issue28182] Expose OpenSSL verification results in SSLError

2017-09-08 Thread Christian Heimes
Christian Heimes added the comment: New changeset b3ad0e5127bdeb6e506301e0d65403fa23c4177b by Christian Heimes in branch 'master': bpo-28182: Expose OpenSSL verification results (#3412) https://github.com/python/cpython/commit/b3ad0e5127bdeb6e506301e0d65403fa23c4177b -- _

[issue28182] Expose OpenSSL verification results in SSLError

2017-09-06 Thread Christian Heimes
Changes by Christian Heimes : -- pull_requests: +3413 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://m

[issue28182] Expose OpenSSL verification results in SSLError

2016-09-26 Thread Christian Heimes
Christian Heimes added the comment: For hostname verification it might be a good idea to add a replacement for ssl.CertificateError. -- ___ Python tracker ___ __

[issue28182] Expose OpenSSL verification results in SSLError

2016-09-20 Thread Chi Hsuan Yen
Chi Hsuan Yen added the comment: > I'm familiar with the release cycles of OpenSSL. Oh I shouldn't say something trivial :) I know that thread. Hope I can help something on persuading others. -- ___ Python tracker

[issue28182] Expose OpenSSL verification results in SSLError

2016-09-20 Thread Christian Heimes
Christian Heimes added the comment: I'm familiar with the release cycles of OpenSSL. In fact I want to tie support for OpenSSL versions to the release cycle of OpenSSL. Python core dev is a bit ... special. :) I can't just drop support. Some developers are opposing my plans and want to keep su

[issue28182] Expose OpenSSL verification results in SSLError

2016-09-20 Thread Chi Hsuan Yen
Chi Hsuan Yen added the comment: That's great. OpenSSL plans to drop 1.0.1 branch support after 2016/12/31. [1] I guess it's OK to drop 1.0.1 support in 3.7. Thanks for constantly improving SSL/TLS support in CPython! [1] https://www.openssl.org/source/ -- ___

[issue28182] Expose OpenSSL verification results in SSLError

2016-09-20 Thread Christian Heimes
Christian Heimes added the comment: Yes, I'm planning to use the feature in 3.7. First I have to finish my PEP and get consents that I can drop support for OpenSSL 1.0.1 and earlier. We still support older versions but the feature is only available in 1.0.2+. I also need to come up with a solu

[issue28182] Expose OpenSSL verification results in SSLError

2016-09-20 Thread Chi Hsuan Yen
Chi Hsuan Yen added the comment: With this change: (tested with OpenSSL git-master) @@ -632,20 +651,22 @@ newPySSLSocket(PySSLContext *sslctx, PyS SSL_set_bio(self->ssl, inbio->bio, outbio->bio); } mode = SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER; #ifdef SSL_MODE_AUTO_RETRY mo

[issue28182] Expose OpenSSL verification results in SSLError

2016-09-19 Thread Christian Heimes
Christian Heimes added the comment: What do we do about ssl.CertificateError? It's not a subclass of SSLError and raised by match_hostname(). -- ___ Python tracker ___ _

[issue28182] Expose OpenSSL verification results in SSLError

2016-09-18 Thread Christian Heimes
Christian Heimes added the comment: You don't have to be concerned about additional arguments. fill_and_set_sslerror() is an internal helper function. In fact it's a helper function for two other helper functions. Let's postpone the discussion until the argument sizes grows out of proportion.

[issue28182] Expose OpenSSL verification results in SSLError

2016-09-18 Thread Chi Hsuan Yen
Chi Hsuan Yen added the comment: That looks much better. I should have create a subclass of SSLError. Here's a minor concern: fill_and_set_sslerror adds a new argument for verification errors. If someone else wants to support more errors, this function would have more arguments, which sounds b

[issue28182] Expose OpenSSL verification results in SSLError

2016-09-18 Thread Christian Heimes
Christian Heimes added the comment: Good work! I completely forgot that the SSL object holds the last verification error in its struct. This allows the ssl module to print some information when cert verification fails. It's still not perfect, because it is missing information about the the fai

[issue28182] Expose OpenSSL verification results in SSLError

2016-09-18 Thread Chi Hsuan Yen
Chi Hsuan Yen added the comment: Here's a quick try. I didn't add tests and update docs as it's my first serious patch to CPython and I'm not sure whether my approach is OK or not. -- keywords: +patch Added file: http://bugs.python.org/file44741/expose-x509-verify-result.patch

[issue28182] Expose OpenSSL verification results in SSLError

2016-09-16 Thread Chi Hsuan Yen
New submission from Chi Hsuan Yen: This was originally a post at python-ideas. Now I reformat it to be more like a feature request. Currently, Python raises SSLError with reason=CERTIFICATE_VERIFY_FAILED for all kinds of certificate verification failures. This results in difficulties in debug