[Patches] [ python-Patches-810754 ] socket.ssl should check certificates
SourceForge.net
noreply at sourceforge.net
Thu Nov 30 21:43:40 CET 2006
Patches item #810754, was opened at 2003-09-22 20:30
Message generated for change (Comment added) made by loewis
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=305470&aid=810754&group_id=5470
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Modules
Group: Python 2.2.x
Status: Closed
Resolution: Rejected
Priority: 5
Private: No
Submitted By: Damjan Georgievski (gdamjan)
Assigned to: Martin v. Löwis (loewis)
Summary: socket.ssl should check certificates
Initial Comment:
I've decided to post here the patch proposed by Ed
Phillips, since I think it's simple addition to the
socket.ssl that will drastically increase its
usefullness... The point of the patch is for a
socket.ssl object to check the certificate received by
the peer.
http://mail.python.org/pipermail/python-list/2003-July/174933.html
----------------------------------------------------------------------
>Comment By: Martin v. Löwis (loewis)
Date: 2006-11-30 21:43
Message:
Logged In: YES
user_id=21627
Originator: NO
This was a patch submission, asking that the proposed patch is integrated.
I rejected the patch, and the issue is done.
If you want to report a bug, please do so as a separate issue (you may
include a patch also, but then the description should clearly state what
the bug is - this issue doesn't). Of course, as a bug report, it may stay
open unreviewed for several years if no patch is contributed that fixes
it.
----------------------------------------------------------------------
Comment By: John Nagle (nagle)
Date: 2006-11-30 21:18
Message:
Logged In: YES
user_id=5571
Originator: NO
Same bug, with different patch, is at: [ 1114345 ] Add SSL certificate
validation
----------------------------------------------------------------------
Comment By: John Nagle (nagle)
Date: 2006-11-30 21:10
Message:
Logged In: YES
user_id=5571
Originator: NO
This should be reopened. Just because the proposed fix didn't work is no
reason to close the defect report.
Currently, Python will accept the following totally bogus certificate
(from www.amaison.co.uk) as valid:
C = --
ST = SomeState
L = SomeCity
O = SomeOrganization
OU = SomeOrganizationalUnit
CN = localhost.localdomain
emailAddress = root at localhost.localdomain
Issuer identity:
C = --
ST = SomeState
L = SomeCity
O = SomeOrganization
OU = SomeOrganizationalUnit
CN = localhost.localdomain
emailAddress = root at localhost.localdomain
----------------------------------------------------------------------
Comment By: Martin v. Löwis (loewis)
Date: 2003-10-26 17:47
Message:
Logged In: YES
user_id=21627
I think you are mis-interpreting the purpose of the key_file
and cert_file arguments. They do *not* indicate the
certificate of the trusted CAs, but provide the key and
certificate of the *client*. By re-interpreting the
cert_file as the file of the trusted CAs, you break
client-side authentication. Therefore, i reject this patch.
That said, I do agree that checking server-side certificates
is a useful think, so I encourage you to provide a new patch
which does that, e.g. by adding a certificate_chain_file
argument (or some such).
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=305470&aid=810754&group_id=5470
More information about the Patches
mailing list