[Python-Dev] SSL Certificate Validation
Bill Janssen
janssen at parc.com
Tue Jun 16 23:45:14 CEST 2009
Devin Cook <devin.c.cook at gmail.com> wrote:
> Also, I have looked through the docs and code, but haven't been able to
> figure out exactly what is included in certificate "validation". Is it just
> validating the chain? Does it check the NotBefore and NotAfter dates?
I believe so, but you'll have to check the OpenSSL code.
> Does it check that the host the socket is connected to is the same as
> what's given in the CN field in the certificate?
No. That, in general, doesn't work very well. The IETF working group
on this is considering deprecating putting a hostname in the CN field at
all, and just adding hostnames via the subjectAltName extension. The
problem that's come up is that many computers don't have fixed IP
addresses, and even with that the hostname is part of a different
mapping of hostnames to IP addresses, which can also vary.
I think that when the https: protocol scheme was written, it seemed like
a good idea, but conventions on the Internet have changed a lot since
then.
> Where I'm going with this is I think all this checking needs to be part of
> certificate validation in the ssl module.
I don't think so. I put in hooks to let you do this in user code if you
need to. See the archives for more discussion on this -- I'm not going to
rehash it again.
(This is really a question for OpenSSL mailing lists, or perhaps python-list.)
Bill
More information about the Python-Dev
mailing list