[Python-Dev] SSL Certificate Validation
Jesse Noller
jnoller at gmail.com
Wed Jun 17 00:09:58 CEST 2009
On Tue, Jun 16, 2009 at 5:31 PM, Devin Cook<devin.c.cook at gmail.com> wrote:
>> But I really do believe that this is what he need to do next:
>> familiarize himself with OpenSSL. There is a lot of APIs in that
>> library, and it takes a while (i.e.: several months) to get
>> productive, in particular since OpenSSL doesn't have the most
>> intuitive API.
>
> Well, I realized this as soon as I looked at the _ssl.c code... I was
> just hoping that someone would be able to give me a quick
> clarification on exactly what gets validated. If it's just the chain
> (which is what I suspect), I would like to submit a patch that does
> the rest of the validation (that a browser typically does:
> CN/hostname, NotBefore, NotAfter, etc.) in the ssl module. I was also
> hoping to find out what the consensus is about this: mainly, *should*
> that verification be done in the ssl module? Maybe this verification
> should somehow be done in OpenSSL, which would mean that I need to do
> a LOT more reading and go pester their mailing list instead.
>
> This is for issue 6273 ( http://bugs.python.org/issue6273 ). In your
> reply to that issue, it seemed to me like you were saying that these
> things were not getting checked in the ssl module (and, therefore, not
> in OpenSSL either):
>
Also my initial bug report "client-side cert support" was a big fat
typo on my part.
face-palm'dly yours,
jesse
More information about the Python-Dev
mailing list