Newbie question regarding SSL and certificate verification
Antoine Pitrou
solipsis at pitrou.net
Thu Jul 29 12:13:27 EDT 2010
On Wed, 28 Jul 2010 22:23:48 -0700
geremy condra <debatem1 at gmail.com> wrote:
> >
> > The new Python SSL module in 2.6 and later has a huge built-in
> > security hole - it doesn't verify the domain against the
> > certificate. As someone else put it, this means "you get to
> > talk securely with your attacker." As long as the site or proxy
> > has some valid SSL cert, any valid SSL cert copied from anywhere,
> > the new Python SSL module will tell you everything is just fine.
> >
> > John Nagle
>
> Did anything ever come of the discussion that you and Antoine had?
As I wrote in http://bugs.python.org/issue1589, I would support adding
the necessary function(s) to the SSL module, and have urllib (and other
stdlib modules) support them. Someone needs to write a patch, though.
Regards
Antoine.
More information about the Python-list
mailing list