[Catalog-sig] [PSF-Members] SSL validationg
Giovanni Bajo
rasky at develer.com
Mon Feb 4 17:15:57 CET 2013
Il giorno 04/feb/2013, alle ore 17:04, "Antoine Pitrou" <solipsis at pitrou.net> ha scritto:
>
> Hi,
>
>> Il giorno 04/feb/2013, alle ore 16:02, Laurens Van Houtven <_ at lvh.cc> ha
>> scritto:
>>
>>> On Mon, Feb 4, 2013 at 3:51 PM, Giovanni Bajo <rasky at develer.com> wrote:
>>>>
>>>>
>>>> (That reminds me; does the stdlib still ignore OCSP?)
>>>>
>>>> TBH, it's worse than that; it doesn't even check SSL certificates by
>>>> default. The default is to ignore any certificate sent by the server
>>>> and get on with the connection.
>>>
>>> Right, but IIUC you can at least convince it to do verify certs by
>>> setting the appropriate flag;
>>
>> Something like that; it's missing an (auto-updating) CA bundle or a way to
>> read the operating system's one, and a function that matches the server
>> name with either CN and SAN fields with the correct wildcard rules (this
>> was added in Python 3.2).
>
> SSLContext is your friend:
> http://docs.python.org/3.3/library/ssl.html#ssl.SSLContext.set_default_verify_paths
Thanks for the pointer, but that's 3.2+ only. We need a working solution for all versions supported by pip, if we treat is as a security bug (I think we should).
> If you want to maintain a CA bundle that would be shipped with Python, this
> can be discussed on python-dev.
Thanks, but I don't know I'll have time for this.
On the contrary, as I already stated, I'm volunteering for doing some work on pip/PyPI.
--
Giovanni Bajo :: rasky at develer.com
Develer S.r.l. :: http://www.develer.com
My Blog: http://giovanni.bajo.it
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4346 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130204/0f4f0f6f/attachment.bin>
More information about the Catalog-SIG
mailing list