[Cryptography-dev] Possible to customize how python handle ssl verify callback?
Alex Gaynor
alex.gaynor at gmail.com
Fri Jan 7 13:17:46 EST 2022
This mailing list is for dealing with the Python Cryptographic
Authority family of libraries, so we're not really in a position to
provide support for the Python stdlib modules. For that you want
something like https://discuss.python.org/.
That said, if you really this this to apply to _all_ X.509 validation
for TLS connections, your best bet is probably to monkeypatch
https://docs.python.org/3/library/ssl.html#ssl.create_default_context
to return a context with your verify callback.
Alex
On Fri, Jan 7, 2022 at 1:13 PM Edward Tsang via Cryptography-dev
<cryptography-dev at python.org> wrote:
>
> Is it possible to change the behavior of how standard python verifies X509 certificates? The background is that I want to filter, ignore and log some of the X509 certificate validation errors. I would like to apply universally for the Python standard library includes multiple modules that provide HTTP client functionality, including httplib, urllib, urllib2, and xmlrpclib. Does the python offers a way for user to customize certificate verification behavior? Anyone can point out how to do this or link to any project that is doing that?
>
> As per openssl doc, we can do that
> https://www.openssl.org/docs/man1.1.1/man3/X509_STORE_CTX_verify_cb.html
> we can customize how certificate verify callback with this
>
> void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
> X509_STORE_CTX_verify_cb verify_cb);
>
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev at python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev
--
All that is necessary for evil to succeed is for good people to do nothing.
More information about the Cryptography-dev
mailing list