"ssl" module doesn't validate that domain of certificate is correct
John Nagle
nagle at animats.com
Mon Apr 19 12:51:27 EDT 2010
I'm converting some code from M2Crypto to the new "ssl" module, and
I've found what looks like a security hole. The "ssl" module will
validate the certificate chain, but it doesn't check that the certificate
is valid for the domain.
Here's the basic code:
sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock = ssl.wrap_socket(sk, ca_certs=certfile,
cert_reqs=ssl.CERT_REQUIRED)
sock.connect((domain,443))
cert = sock.getpeercert()
print('SSL cert for "%s":' % (domain,))
for fieldname in cert :
print(' %s = %s' % (fieldname, cert[fieldname]))
Note that I'm sending a CA cert list and am specifying CERT_REQUIRED,
so I should get a proper cert check.
Now let's try a host that presents the wrong SSL cert. Try, in
a browser,
https://www.countrysidecabinetry.com
You'll get an error. But the "ssl" module is happy with this cert:
SSL cert for "www.countrysidecabinetry.com":
notAfter = Dec 8 23:30:48 2010 GMT
subject = ((('serialNumber', u'E5gMXaDjnqfFPID2KNdLTVNEE6PjtqOr'),),
(('countryName', u'US'),), (('organizationName', u'customla
serengravings.com'),), (('organizationalUnitName', u'GT57631608'),),
(('organizationalUnitName', u'See www.rapidssl.com/resources/cp
s (c)09'),), (('organizationalUnitName', u'Domain Control Validated -
RapidSSL(R)'),), (('commonName', u'customlaserengravings.com')
,))
Note that the cert is for "customlaserengravings.com", but is being
presented by "countrysidecabinetry.com". Fail.
When I try this with M2Crypto, I get an SSL.Checker.WrongHost exception.
That's what should happen.
John Nagle
More information about the Python-list
mailing list