Issue1114345
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2005-02-01 23:04 by noonian, last changed 2022-04-11 14:56 by admin. This issue is now closed.
Files | ||||
---|---|---|---|---|
File name | Uploaded | Description | Edit | |
python-ssl-verification.diff | noonian, 2005-02-01 23:04 | python-ssl-verification patch |
Messages (20) | |||
---|---|---|---|
msg47639 - (view) | Author: James Eagan (noonian) | Date: 2005-02-01 23:04 | |
One line summary: adds certificate validation to the SSL module and programmer-level hooks to control how and whether certificate validation is performed. Details: The current SSL implementation in python goes through the motions of negotiating an SSL connection, but never validates the certificates exchanged. This is like going through the motions of checking someone's photo id, but never making sure the picture matches the person you're talking to. This patch fixes that. This patch adds 3 module-level variables to the socket module, which get exposed iff ssl is built in. These variables (ssl_ca_file, ssl_ca_path, and ssl_verify_level) provide programmer-level access to the certificate authorities database and to control what level of certificate verification is performed (by default, none, as is the current behavior). If certificate verification is enabled, then one of the two certificate authority parameters must be set to a valid certificate authority database or all certificate verification operations will fail. I have an example certificate authority database (extracted from the Java keystore) that I can provide, but I'm not sure how to contribute that through the patch mechanism. Cheers! James Eagan |
|||
msg47640 - (view) | Author: James Bowes (jbowes) | Date: 2006-06-21 19:43 | |
Logged In: YES user_id=1543815 I put together an updated version of this patch against svn trunk as of June 21, 2006. I also added some additional documentation to the .tex file. Maybe someone with sufficient privilidges (or James, if you're still out there) could attach the updated patch here? the updated patch is at: http://www.dangerouslyinc.com/~bowes/ssl_ca.diff Regards, James Bowes |
|||
msg47641 - (view) | Author: John Nagle (nagle) | Date: 2006-11-09 04:14 | |
Logged In: YES user_id=5571 What's the status of this? Is it going in? I have a need for it. Thanks. |
|||
msg47642 - (view) | Author: James Eagan (noonian) | Date: 2006-11-09 14:43 | |
Logged In: YES user_id=31389 Nagle: I haven't heard anything from anyone besides you and jbowes abou this patch here or on the python-dev list, and I haven't had time to follow up. You might have more success via the email list. (Or, if any of the python maintainers is reading this, do you have any suggestions to make this patch more attractive?) |
|||
msg47643 - (view) | Author: Gustavo J. A. M. Carneiro (gustavo) * | Date: 2006-11-09 15:20 | |
Logged In: YES user_id=908 > This patch adds 3 module-level variables to the socket module, which get exposed iff ssl is built in. These variables (ssl_ca_file, ssl_ca_path, and ssl_verify_level) provide programmer-level access to the certificate authorities database and to control what level of certificate verification is performed (by default, none, as is the current behavior). Are you sure it's a good idea to have this kind of 'global' control over certification authorities? Global configurations are handy at first, but they come back and bite us when we least expect it... |
|||
msg47644 - (view) | Author: John Nagle (nagle) | Date: 2006-11-30 20:13 | |
This has been pending for a few months, and there's a fix, but it's not in yet. What's going on? I just had Python accept a totally bogus certificate from "www.amaison.co.uk". The certificate contents are C = -- ST = SomeState L = SomeCity O = SomeOrganization OU = SomeOrganizationalUnit CN = localhost.localdomain emailAddress = root@localhost.localdomain Issuer identity: C = -- ST = SomeState L = SomeCity O = SomeOrganization OU = SomeOrganizationalUnit CN = localhost.localdomain emailAddress = root@localhost.localdomain Python is perfectly happy with that. Which is embarassing. |
|||
msg47645 - (view) | Author: Martin v. Löwis (loewis) * | Date: 2006-11-30 20:50 | |
The patch is not integrated because nobody had the time to review it; this, in turn, did not happen because we lack reviewers. A quick review reveals that the patch is incomplete: it does not provide changes to the documentation (which it needs to, because it introduces a new feature). The patch also includes no changes to the test suite. |
|||
msg47646 - (view) | Author: James Eagan (noonian) | Date: 2006-11-30 21:09 | |
I'd be happy to make the changes löwis suggested, but it will be quite a while before I can find the necessary time. If anyone else can update the docs and tests, please let me know! |
|||
msg47647 - (view) | Author: vila-sf (vila-sf) | Date: 2007-04-25 08:33 | |
Like nagle, I have a need for this. But the updated patch is now returning a 404 :-( Since we are at still three interested by that patch, what can we do ? |
|||
msg47648 - (view) | Author: vila-sf (vila-sf) | Date: 2007-04-25 08:35 | |
Like nagle, I have a need for this. But the updated patch is now returning a 404 :-( Since we are at still three interested by that patch, what can we do ? |
|||
msg47649 - (view) | Author: John Nagle (nagle) | Date: 2007-04-25 16:44 | |
Note: If you need this, M2Crypto, a third party replacement for the SSL module, provides the necessary functionality. M2Crypto tends to be a headache to build (it uses SWIG, has version dependencies on SWIG, OpenSSL, the compiler, and CPython, and needs some code from its source repository that isn't in the current release), but the correct functionality is in there. That's what I'm using now. |
|||
msg55295 - (view) | Author: Bill Janssen (janssen) * | Date: 2007-08-26 02:56 | |
I believe this is now fixed with patch 1018. |
|||
msg55450 - (view) | Author: Bill Janssen (janssen) * | Date: 2007-08-29 23:03 | |
Fixed in 2.6. |
|||
msg55463 - (view) | Author: vila-sf (vila-sf) | Date: 2007-08-30 06:54 | |
>>>>> "Bill" == Bill Janssen <report@bugs.python.org> writes: Bill> Bill Janssen added the comment: Bill> Fixed in 2.6. Bill> ---------- Bill> resolution: -> fixed Bill> status: open -> closed Thanks for the work on the server side ! But there is still one bit missing for the client side, the original patch allowed the handling of self-certified sites which, AIUI, you don't provide. Am I wrong ? Vincent |
|||
msg55493 - (view) | Author: Bill Janssen (janssen) * | Date: 2007-08-30 17:42 | |
The new SSL code does work with self-signed certs, either by skipping validation with CERT_NONE, or by adding the cert to the ca_certs file. I don't believe there are any other options that make sense, but if you can suggest one, let's hear it. |
|||
msg55619 - (view) | Author: vila-sf (vila-sf) | Date: 2007-09-03 12:32 | |
Using CERT_NONE or adding the cert covers my needs, thanks. Any hope this will be backported to python 2.5 ? |
|||
msg55620 - (view) | Author: Martin v. Löwis (loewis) * | Date: 2007-09-03 12:52 | |
There definitely won't be any new features in 2.5.x. However, I think Bill said he might make this available separately. |
|||
msg55622 - (view) | Author: Bill Janssen (janssen) * | Date: 2007-09-03 16:49 | |
I'm planning to do a package for 2.3... Sent from my iPhone On Sep 3, 2007, at 5:32 AM, vila-sf <report@bugs.python.org> wrote: > > > vila-sf > added the comment: > > Using CERT_NONE or adding the cert covers my needs, thanks. > > Any hope this will be backported to python 2.5 ? > > _____________________________________ > Tracker <report@bugs.python.org> > <http://bugs.python.org/issue1114345> > _____________________________________ |
|||
msg56410 - (view) | Author: (vila) | Date: 2007-10-14 09:21 | |
> I'm planning to do a package for 2.3... Any progress on that package ? I'd like to do the same for python 2.4 and 2.5 as I have a need for it for both versions. I don't know what you call a package though, but I'm willing to learn :) |
|||
msg56423 - (view) | Author: Bill Janssen (janssen) * | Date: 2007-10-14 20:07 | |
See the SSL package on PyPI. Should work on 2.3, 2.4, and 2.5. Bill On 10/14/07, vila <report@bugs.python.org> wrote: > > vila added the comment: > > > I'm planning to do a package for 2.3... > > Any progress on that package ? > > I'd like to do the same for python 2.4 and 2.5 as I have a need for it > for both versions. > > I don't know what you call a package though, but I'm willing to learn :) > > ---------- > nosy: +vila > > _____________________________________ > Tracker <report@bugs.python.org> > <http://bugs.python.org/issue1114345> > _____________________________________ > |
History | |||
---|---|---|---|
Date | User | Action | Args |
2022-04-11 14:56:09 | admin | set | github: 41514 |
2007-12-10 20:01:57 | ahasenack | set | nosy: + ahasenack |
2007-10-14 20:07:31 | janssen | set | messages: + msg56423 |
2007-10-14 09:21:36 | vila | set | nosy:
+ vila messages: + msg56410 |
2007-09-03 16:49:55 | janssen | set | messages: + msg55622 |
2007-09-03 12:52:11 | loewis | set | messages: + msg55620 |
2007-09-03 12:32:22 | vila-sf | set | messages: + msg55619 |
2007-08-30 17:42:08 | janssen | set | messages: + msg55493 |
2007-08-30 06:54:19 | vila-sf | set | messages: + msg55463 |
2007-08-29 23:03:05 | janssen | set | status: open -> closed resolution: fixed messages: + msg55450 |
2007-08-26 02:56:09 | janssen | set | nosy:
+ janssen messages: + msg55295 |
2005-02-01 23:04:16 | noonian | create |