[Python-Dev] PEP 476: Enabling certificate validation by default!
Christian Heimes
christian at python.org
Sun Aug 31 22:16:22 CEST 2014
On 31.08.2014 19:29, Antoine Pitrou wrote:
> You certainly shouldn't do so. If an application has special needs that
> require trusting a self-signed certificate, then it should expose a
> configuration setting to let users specify the cert's location. Stuffing
> self-signed certs into the system trust store is really a measure of
> last resort.
Correct!
I merely wanted to state that OpenSSL can verify a self-signed
certificate easily. The certificate 'just' have to be added to the
SSLContext's store of trusted root certs. Somebody has to figure out how
Python can accomplish the task.
> There's another case which isn't solved by this, though, which is when a
> cert is invalid. The common situation being that it has expired
> (renewing certs is a PITA and therefore expired certs are more common
> than it sounds they should be). In this case, there is no way to
> whitelist it: you have to disable certificate checking altogether. This
> can be exposed by the application as configuration option if necessary,
> as well.
It's possible to ignore errors with a verify callback. OpenSSL's wiki
has an example for the expired certs
http://wiki.openssl.org/index.php/Manual:X509_STORE_CTX_set_verify_cb%283%29#EXAMPLES
Christian
More information about the Python-Dev
mailing list