This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: Add SSL certificate validation
Type: Stage:
Components: Extension Modules Versions:
process
Status: closed Resolution: duplicate
Dependencies: Superseder:
Assigned To: Nosy List: holdenweb, noonian, terry.reedy
Priority: normal Keywords: patch

Created on 2005-02-03 18:42 by noonian, last changed 2022-04-11 14:56 by admin. This issue is now closed.

Files
File name Uploaded Description Edit
python-ssl-verification.diff noonian, 2005-02-03 18:42 python-ssl-verification patch
Messages (4)
msg47652 - (view) Author: James Eagan (noonian) Date: 2005-02-03 18:42
One line summary: adds certificate validation to the SSL module 
and programmer-level hooks to control how and whether 
certificate validation is performed.

Details:
The current SSL implementation in python goes through the 
motions of negotiating an SSL connection, but never validates the 
certificates exchanged.  This is like going through the motions of 
checking someone's photo id, but never making sure the picture 
matches the person you're talking to.  This patch fixes that.

This patch adds 3 module-level variables to the socket module, 
which get exposed iff ssl is built in.  These variables (ssl_ca_file, 
ssl_ca_path, and ssl_verify_level) provide programmer-level 
access to the certificate authorities database and to control what 
level of certificate verification is performed (by default, none, as is 
the current behavior).

If certificate verification is enabled, then one of the two certificate 
authority parameters must be set to  a valid certificate authority 
database or all certificate verification operations will fail.  I have 
an example certificate authority database (extracted from the Java 
keystore) that I can provide, but I'm not sure how to contribute 
that through the patch mechanism.

Cheers!
James Eagan
msg47653 - (view) Author: Steve Holden (holdenweb) * (Python committer) Date: 2005-02-03 18:48
Logged In: YES 
user_id=88157

How does this differ from 1114345?
msg47654 - (view) Author: James Eagan (noonian) Date: 2005-02-03 19:00
Logged In: YES 
user_id=31389

Uh, it doesn't.  It was a user error/refresh bug with me and my web 
browser.  Sorry 'bout that.
msg47655 - (view) Author: Terry J. Reedy (terry.reedy) * (Python committer) Date: 2005-02-04 19:52
Logged In: YES 
user_id=593130

So please close this one as 'duplicate' or the closest thing 
thereto, such as 'invalid'.
History
Date User Action Args
2022-04-11 14:56:09adminsetgithub: 41521
2005-02-03 18:42:57nooniancreate