One line summary: adds certificate validation to the SSL module 
and programmer-level hooks to control how and whether 
certificate validation is performed.

Details:
The current SSL implementation in python goes through the 
motions of negotiating an SSL connection, but never validates the 
certificates exchanged.  This is like going through the motions of 
checking someone's photo id, but never making sure the picture 
matches the person you're talking to.  This patch fixes that.

This patch adds 3 module-level variables to the socket module, 
which get exposed iff ssl is built in.  These variables (ssl_ca_file, 
ssl_ca_path, and ssl_verify_level) provide programmer-level 
access to the certificate authorities database and to control what 
level of certificate verification is performed (by default, none, as is 
the current behavior).

If certificate verification is enabled, then one of the two certificate 
authority parameters must be set to  a valid certificate authority 
database or all certificate verification operations will fail.  I have 
an example certificate authority database (extracted from the Java 
keystore) that I can provide, but I'm not sure how to contribute 
that through the patch mechanism.

Cheers!
James Eagan

Logged In: YES 
user_id=1543815

I put together an updated version of this patch against svn
trunk as of June 21, 2006. I also added some additional
documentation to the .tex file.

Maybe someone with sufficient privilidges (or James, if
you're still out there) could attach the updated patch here?

the updated patch is at:
http://www.dangerouslyinc.com/~bowes/ssl_ca.diff

Regards,
James Bowes

Logged In: YES 
user_id=5571

What's the status of this?  Is it going in?  I have a need
for it.  Thanks.

Logged In: YES 
user_id=31389

Nagle:  I haven't heard anything from anyone besides you and jbowes abou this patch here or on the python-dev list, and I haven't had time to 
follow up.  You might have more success via the email list. (Or, if any of the python maintainers is reading this, do you have any suggestions to 
make this patch more attractive?)

Logged In: YES 
user_id=908

> This patch adds 3 module-level variables to the socket
module, which get exposed iff ssl is built in. These
variables (ssl_ca_file, ssl_ca_path, and ssl_verify_level)
provide programmer-level access to the certificate
authorities database and to control what level of
certificate verification is performed (by default, none, as
is the current behavior).

Are you sure it's a good idea to have this kind of 'global'
control over certification authorities?  Global
configurations are handy at first, but they come back and
bite us when we least expect it...

This has been pending for a few months, and there's a fix, but it's not in yet.  What's going on?

I just had Python accept a totally bogus certificate from "www.amaison.co.uk".
The certificate contents are

C = --
ST = SomeState
L = SomeCity
O = SomeOrganization
OU = SomeOrganizationalUnit
CN = localhost.localdomain
emailAddress = root@localhost.localdomain
Issuer identity:
C = --
ST = SomeState
L = SomeCity
O = SomeOrganization
OU = SomeOrganizationalUnit
CN = localhost.localdomain
emailAddress = root@localhost.localdomain

Python is perfectly happy with that.   Which is embarassing. 

The patch is not integrated because nobody had the time to review it; this, in turn, did not happen because we lack reviewers.

A quick review reveals that the patch is incomplete: it does not provide changes to the documentation (which it needs to, because it introduces a new feature).

The patch also includes no changes to the test suite.

I'd be happy to make the changes löwis suggested, but it will be quite a while before I can find the necessary time.  If anyone else can update the docs and tests, please let me know!

Like nagle, I have a need for this.

But the updated patch is now returning a 404 :-(

Since we are at still three interested by that patch, what can we do ?

Like nagle, I have a need for this.

But the updated patch is now returning a 404 :-(

Since we are at still three interested by that patch, what can we do ?

Note: If you need this, M2Crypto, a third party replacement for the SSL module, provides the necessary functionality.  M2Crypto tends to be a headache to build (it uses SWIG, has version dependencies on SWIG, OpenSSL, the compiler, and CPython, and needs some code from its source repository that isn't in the current release), but the correct functionality is in there.  That's what I'm using now.

I believe this is now fixed with patch 1018.

Fixed in 2.6.

>>>>> "Bill" == Bill Janssen <report@bugs.python.org> writes:

    Bill> Bill Janssen added the comment:

    Bill> Fixed in 2.6.

    Bill> ----------
    Bill> resolution:  -> fixed
    Bill> status: open -> closed

Thanks for the work on the server side !

But there is still one bit missing for the client side, the
original patch allowed the handling of self-certified sites
which, AIUI, you don't provide.

Am I wrong ?

   Vincent

The new SSL code does work with self-signed certs, either by skipping 
validation with CERT_NONE, or by adding the cert to the ca_certs file.  I 
don't believe there are any other options that make sense, but if you can 
suggest one, let's hear it.

Using CERT_NONE or adding the cert covers my needs, thanks.

Any hope this will be backported to python 2.5 ?

There definitely won't be any new features in 2.5.x. However, I think
Bill said he might make this available separately.

I'm planning to do a package for 2.3...

Sent from my iPhone

On Sep 3, 2007, at 5:32 AM,
vila-sf
<report@bugs.python.org> wrote:

>
>
>                    vila-sf
>                 added the comment:
>
> Using CERT_NONE or adding the cert covers my needs, thanks.
>
> Any hope this will be backported to python 2.5 ?
>
> _____________________________________
> Tracker <report@bugs.python.org>
> <http://bugs.python.org/issue1114345>
> _____________________________________

> I'm planning to do a package for 2.3...

Any progress on that package ?

I'd like to do the same for python 2.4 and 2.5 as I have a need for it
for both versions. 

I don't know what you call a package though,  but I'm willing to learn :)

See the SSL package on PyPI.  Should work on 2.3, 2.4, and 2.5.

Bill

On 10/14/07, vila <report@bugs.python.org> wrote:
>
> vila added the comment:
>
> > I'm planning to do a package for 2.3...
>
> Any progress on that package ?
>
> I'd like to do the same for python 2.4 and 2.5 as I have a need for it
> for both versions.
>
> I don't know what you call a package though,  but I'm willing to learn :)
>
> ----------
> nosy: +vila
>
> _____________________________________
> Tracker <report@bugs.python.org>
> <http://bugs.python.org/issue1114345>
> _____________________________________
>