[Python-Dev] PEP 466 (round 2): Network security enhancements for Python 2.7
Donald Stufft
donald at stufft.io
Sun Mar 23 16:55:25 CET 2014
On Mar 23, 2014, at 9:13 AM, Antoine Pitrou <solipsis at pitrou.net> wrote:
> On Sun, 23 Mar 2014 17:07:24 +1000
> Nick Coghlan <ncoghlan at gmail.com> wrote:
>> Another more critical example is the lack of SSL hostname matching in the
>> Python 2 standard library - it is currently necessary to rely on a third
>> party library, such as ``requests`` or ``backports.ssl_match_hostname`` to
>> obtain that functionality in Python 2.
>
> Do note that match_hostname() is a pure Python function and is easy to
> paste into your own code (if you don't want to pull in a dependency).
> It doesn't need SSLContext or any other recent stuff, just a
> certificate dict which Python 2.x is already able to provide
> (SSLSocket.getpeercert()).
So the problem with match_hostname is that it’s a security sensitive function,
there have already been at least one fix to it because of it doing something
incorrectly. Advocating users to copy it into their own code case typically means
that it’ll get copied once and forgotten. So for any security updates in the future
they are unlikely to get those.
It seems like the danger of _adding_ things like that is pretty minimal.
>
>> Firstly, this PEP encompasses a non-trivial portion of the standard library.
>> It's not just the underlying SSL support, but also the libraries for other
>> network protocols like HTTP, FTP, IMAP, and POP3 that integrate with the
>> SSL infrastructure to provide secure links, and that's just the protocols
>> in the standard library.
>
> It's still not obvious what you are proposing to do with these other
> libraries. If you are proposing to validate certs against system CAs and
> check hostnames by default - you are going to break compatibility for a
> lot of current uses.
>
> As Martin I think it would be easier to reason about a concrete backport
> proposal.
>
> Regards
>
> Antoine.
>
>
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: https://mail.python.org/mailman/options/python-dev/donald%40stufft.io
-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/python-dev/attachments/20140323/d469b25c/attachment.sig>
More information about the Python-Dev
mailing list