[Python-Dev] SSL Certificate Validation

[Devin Cook]

> But I really do believe that this is what he need to do next:
> familiarize himself with OpenSSL. There is a lot of APIs in that
> library, and it takes a while (i.e.: several months) to get
> productive, in particular since OpenSSL doesn't have the most
> intuitive API.

Well, I realized this as soon as I looked at the _ssl.c code... I was
just hoping that someone would be able to give me a quick
clarification on exactly what gets validated. If it's just the chain
(which is what I suspect), I would like to submit a patch that does
the rest of the validation (that a browser typically does:
CN/hostname, NotBefore, NotAfter, etc.) in the ssl module. I was also
hoping to find out what the consensus is about this: mainly, *should*
that verification be done in the ssl module? Maybe this verification
should somehow be done in OpenSSL, which would mean that I need to do
a LOT more reading and go pester their mailing list instead.

This is for issue 6273 ( http://bugs.python.org/issue6273 ). In your
reply to that issue, it seemed to me like you were saying that these
things were not getting checked in the ssl module (and, therefore, not
in OpenSSL either):

> I find the patch incomplete, for formal and semantical reasons:
> a) it doesn't come with documentation or test suite changes, and
> b) it doesn't implement the typical certificate checks that browsers
>    do, beyond validating that the certificate is valid - e.g. also
>    validating that the certificate is issued to the host you are trying
>    to connect to.

I would like to do validation of server certificates in a project I'm
working on, and I figured it would be better to be proactive and try
to help create a patch than to just sit back and complain about it. It
seems to me that this is a bug that you can't do peer certificate
validation in httplib.

If this isn't the place to ask these kinds of questions, I apologise.
I can take the discussion elsewhere if I need to.

Thanks,
-Devin