Hi j.barrett, Thanks for bringing this up. Your observation is correct. The patch only enables what is already done in standard library and does not handle hostname verification. I don't think it's possible for Python < 2.7.9 without modifying Thrift code. It's kind of a bug since it's done for server certs and without this it only gives false sense of security. Could you file an issue in our JIRA ? https://issues.apache.org/jira/browse/THRIFT
If you happened to be interested in contributing, I'll definitely check out your implementation and work for the merge. Either way, I guess we need it before the next release. On Sun, Jan 24, 2016 at 9:54 PM j.barrett Strausser < [email protected]> wrote: > Does release 0.9.3 support mutual authentication in Python on version > 2.7.6? By Mutual Auth I mean does the server check that the client has a > cert that has been signed by the servers PKI (cert,key)? > > Looking at the source it appears that it does not? > > It is supported in 0.9.4? In this commit it appears to have been > introduced. > > https://github.com/apache/thrift/commit/ad8358664e6aa2de9094ca68c8b626b953b572c0 > > In particular I'm assuming the line below is the relevant test case for > mutual auth? > > https://github.com/apache/thrift/commit/ad8358664e6aa2de9094ca68c8b626b953b572c0#diff-2853875e5d5696e7082aa0e46bc206b1R186 > > If all the above is the case, does the server side perform hostname > verification on the client common name? Any thoughts on how to handle that > in 2.7.6? > > > Thanks, > > -b > -- > > > https://github.com/bearrito > @deepbearrito >
