[Python-Dev] cpython: Added SSL test for HTTPHandler.
Antoine Pitrou
solipsis at pitrou.net
Sat May 21 13:09:03 CEST 2011
On Sat, 21 May 2011 12:32:21 +0200
vinay.sajip <python-checkins at python.org> wrote:
> + if secure:
> + import ssl
> + fd, fn = tempfile.mkstemp()
> + os.close(fd)
> + with open(fn, 'w') as f:
> + f.write(self.PEMFILE)
> + sslctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
> + sslctx.load_cert_chain(fn)
We already bundle a couple of cert files in Lib/test, so you shouldn't
have to use your own (see e.g. Lib/test/keycert.pem).
> + self.h_hdlr = logging.handlers.HTTPHandler(host, '/frob', secure=secure)
If you want real security, HTTPHandler should configure its SSLContext
in CERT_REQUIRED mode (and be given the proper root certificate(s)).
Otherwise you are vulnerable to man-in-the-middle attacks.
See the "context" and "check_hostname" arguments to HTTPSConnection:
http://docs.python.org/dev/library/http.client.html#http.client.HTTPSConnection
Regards
Antoine.
More information about the Python-Dev
mailing list