Newbie question regarding SSL and certificate verification
geremy condra
debatem1 at gmail.com
Thu Jul 29 17:22:24 EDT 2010
On Thu, Jul 29, 2010 at 9:13 AM, Antoine Pitrou <solipsis at pitrou.net> wrote:
> On Wed, 28 Jul 2010 22:23:48 -0700
> geremy condra <debatem1 at gmail.com> wrote:
>> >
>> > The new Python SSL module in 2.6 and later has a huge built-in
>> > security hole - it doesn't verify the domain against the
>> > certificate. As someone else put it, this means "you get to
>> > talk securely with your attacker." As long as the site or proxy
>> > has some valid SSL cert, any valid SSL cert copied from anywhere,
>> > the new Python SSL module will tell you everything is just fine.
>> >
>> > John Nagle
>>
>> Did anything ever come of the discussion that you and Antoine had?
>
> As I wrote in http://bugs.python.org/issue1589, I would support adding
> the necessary function(s) to the SSL module, and have urllib (and other
> stdlib modules) support them. Someone needs to write a patch, though.
>
> Regards
>
> Antoine.
Hmm, my understanding at the time was that there had been a decision
to just adapt Heikki Toivonen's M2Crypto code, if that's just looking
for someone to turn it into a patch I'll see if I can't find the time
next week.
Geremy Condra
More information about the Python-list
mailing list