Getting SSL certificate
Martin v. Loewis
martin at v.loewis.de
Sun Nov 10 02:49:52 EST 2002
"Stuart D. Gathman" <stuart at bmsi.com> writes:
> Tying doesn't tell me whether the cert was actually checked.
It does if you produce a case which should fail, e.g. by providing a
CA chain which the server won't verify against.
> socketmodule.c never calls SSL_get_verify_result()
So this could be fixed by exposing SSL_get_verify_result, right?
> It seems that the docs are correct. The certificate is not validated and
> I could be talking to anybody or their dog. Furthermore, while the
> server and issuer are exposed through undocumented attributes, the
> server_cert is not. So there is no way to validate the cert manually,
> short of rewriting socketmodule.c. This is one case where the batteries
> included have been sitting on the shelf too long.
Definitely. It's a chicken-and-egg problem: Nobody believes the
builtin SSL support is useful, so nobody contributes
improvements. That is very unfortunate.
> If only the server_cert were available, validating it is not too much
> work. There is an external 'verify' program supplied with openssl that
> does most of the work for you.
While that might be the case, I don't really see the need for that. If
you expose SSL_get_verify_result, your application would work, right?
If you provide a patch that exposes both (get_verify_result, and
server_cert), this would be most appreciated.
Regards,
Martin
More information about the Python-list
mailing list