Python OpenSSL library
John Nagle
nagle at animats.com
Tue Jun 15 22:56:46 EDT 2010
On 6/15/2010 1:27 PM, Antoine Pitrou wrote:
> On Mon, 14 Jun 2010 19:47:49 +0100
> Nobody<nobody at nowhere.com> wrote:
>> On Mon, 14 Jun 2010 10:43:02 -0700, John Nagle wrote:
>>
>>> The new SSL module in Python 2.6
>>
>> There isn't an SSL module in Python 2.6. There is a module named "ssl"
>> which pretends to implement SSL, but in fact doesn't.
>
> What do you mean by "doesn't"?
> Can you point to an open bug report describing the issue?
http://bugs.python.org/issue1589
Just reopened by Antoine Pitrou.
Realistically, there are obscure situations where you might want to
open an SSL connection without hostname validation. Those
situations are unusual. (I actually do that to read the SSL
certificate, without sending data, in a system which collects data
from SSL certs. This is not the normal case.)
The typical Python user will expect SSL checking for URL opening
to behave like a browser does. They won't be up to speed on the
internal mechanics of X.509 certificates. The default case should
be to require a hostname match (considering certificate wildcards,
multiple common names, multiple alt names, etc.).
Expecting the caller to do this check is unreasonable. It's
about 70 lines of python code to cover all the cases. And
that's without proper support for error reporting for internationalized
host names.
Without a hostname check, the SSL module insures only, as someone
else points out, that "you have an encrypted connection to your
attacker".
John Nagle
More information about the Python-list
mailing list