[issue19689] ssl.create_default_context()
Christian Heimes
report at bugs.python.org
Fri Nov 22 18:18:25 CET 2013
Christian Heimes added the comment:
New patch with enum and more cleanups.
I'd like to explain the rationals for the purpose argument in create_default_context and the ASN1Object thing. There are multiple things involved here. First of all a certificate may have key usage and extended key usage OIDs in its X509v3 extensions. OpenSSL already checks them according to its mode.
The purpose is also required to load the correct set of certs from a certificate provider (e.g. Windows cert store, Mozilla NSS certdata, Apple's keystore). The system or user can impose additional restrictions for certificates, e.g. disable a cert for TLS web server auth although the X.509 struct specifies 1.3.6.1.5.5.7.3.1 in its X509v3 extensions. NSS certdata also contains invalid certificates or certificates that are not suitable for server auth although the cert claims it.
In order to load only trusted certs for a purpose the API needs a purpose flag (usually an OID or a NID). Most Linux users have never seen this differentiation because /etc/ssl/certs/ either contains only server auth certs or their distributions screw up, See https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1207004 or http://www.egenix.com/company/news/eGenix-pyOpenSSL-Distribution-0.13.2.1.0.1.5.html
----------
Added file: http://bugs.python.org/file32778/ssl_create_default_context2.patch
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue19689>
_______________________________________
More information about the Python-bugs-list
mailing list