[Python-Dev] Verification of SSL cert and hostname made easy
Antoine Pitrou
solipsis at pitrou.net
Sun Dec 1 11:37:01 CET 2013
On Sun, 01 Dec 2013 02:53:32 +0100
Christian Heimes <christian at python.org> wrote:
> Am 30.11.2013 23:51, schrieb Antoine Pitrou:
> > Small nit: what happens if the server_hostname is None (i.e. wasn't
> > passed to context.wrap_socket())?
>
> The code will raise an exception. My patch already implements a more
> verbose ValueError that explains the cause of the problem. It's flaw in
> code, that calls context.wrap_socket. Erroneous code will no longer pass
> silently.
>
> The patch also ensures a valid combination of verify_mode and
> check_hostname:
>
> >>> context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
> >>> context.check_hostname = True
> Traceback (most recent call last):
> File "<stdin>", line 1, in <module>
> ValueError: check_hostname needs a SSL context with either CERT_OPTIONAL
> or CERT_REQUIRED
> >>> context.verify_mode = ssl.CERT_REQUIRED
> >>> context.check_hostname = True
> >>> context.verify_mode = ssl.CERT_NONE
> Traceback (most recent call last):
> File "<stdin>", line 1, in <module>
> ValueError: Cannot set verify_mode to CERT_NONE when check_hostname is
> enabled.
So I have to set attributes in a given order? I find this silly.
Regards
Antoine.
More information about the Python-Dev
mailing list