[Python-Dev] PEP 476: Enabling certificate validation by default!
Christian Heimes
christian at python.org
Sun Aug 31 19:23:53 CEST 2014
On 31.08.2014 08:24, Nick Coghlan wrote:
> To answer David's specific question, the existing knobs at the OpenSSL
> level (SSL_CERT_DIR and SSL_CERT_FILE ) let people add an internal CA,
> opt out of the default CA system, and trust *specific* self-signed
> certs.
This works only on Unix platforms iff SSL_CERT_DIR and SSL_CERT_FILE are
both set to a non-empty string that points to non-existing files or
something like /dev/null.
On Windows my enhancement will always cause the system trust store to
kick in. There is currently no way to disable the Windows system store
for ssl.create_default_context() and ssl._create_stdlib_context() with
the functions' default arguments.
On Mac OS X the situation is even more obscure. Apple's OpenSSL binaries
are using Apple's Trust Evaluation Agent. You have to set
OPENSSL_X509_TEA_DISABLE=1 in order to prevent the agent from adding
trusted certs from OSX key chain. Hynek Schlawack did a deep dive into
it. https://hynek.me/articles/apple-openssl-verification-surprises/
> A Python-specific user level cert store is something that could be
> developed as a PyPI library for Python 2.7.9+ and 3.4+ (Is cert
> management considered in scope for cryptography.io? If so, that could
> be a good home).
Python's SSL module is lacking some functionalities in order to
implement a fully functional cert store.
* no verify hook to verify each certificate in the chain like
https://www.openssl.org/docs/ssl/SSL_CTX_set_cert_verify_callback.html
http://linux.die.net/man/3/x509_store_ctx_set_verify_cb
/api/ssl.html#OpenSSL.SSL.Context.set_verify
* no way to get the full cert chain including the root certificate.
* no API to get the subject public key information (SPKI). The SPKI hash
can be used to identify a certificate. For example it's used in Google's
CRLSet. http://dev.chromium.org/Home/chromium-security/crlsets
* the cert validation exception could use some additional information.
There are probably some more things mising. An X509 object would help, too.
Christian
More information about the Python-Dev
mailing list