[Python-Dev] pip SSL

Donald Stufft donald at stufft.io
Sat Oct 19 19:57:30 CEST 2013 

One of the reasons we switched to using requests was to help centralize the SSL
handling code over to requests. So any issues could be fixed there and we just
pull in a newer version of requests.

On Oct 19, 2013, at 11:52 AM, Christian Heimes <christian at python.org> wrote:

> Signed PGP part
> Am 19.10.2013 16:59, schrieb Nick Coghlan:
> > It's the cert verification in pip that's relevant - the PEP was 
> > updated so that ensurepip itself never talks to the internet. So I 
> > guess that would mean checking the cert verification in pip's
> > vendored copy of requests: 
> > https://github.com/pypa/pip/tree/develop/pip/vendor/requests
> > 
> > (So I guess if you do find any issues, they would likely be
> > applicable to the upstream requests package as well)
> 
> Oh heck, where should I start?
> 
> The cacert.pem file is outdated. Also it's unclear who has generated
> the file and how it was generated from certdata.txt. It may very well
> contain revoked certificates, too. You can find the latest version of
> the file at
> 
> 
> http://hg.mozilla.org/mozilla-central/file/tip/security/nss/lib/ckfw/builtins/certdata.txt
> 
> . A proper tool is required to generate a correct PEM file. It must
> understand *ALL* fields. I have some code for that but it's not ready yet.
> 
> 
> pip uses requests and requests rolls its own code for or on top of
> Python stdlib modules, e.g. urllib3 with ssl_match_hostname. The
> method has the same security flaw as Python's ssl.match_hostname()
> function for IDNs. I'm a bit worried that we have to review and
> validate all 3rd party packages and copies of stdlib modules for issues.
> 
> 
> The assert_fingerprint() function looks kinda funny. It uses sha1() or
> md5() on the DER representation of the cert. It's not how you are
> suppose to take fingerprints for cert pinning. But Python's ssl has no
> way to get the SPKI from the cert yet. I'm working on that as well.
> 
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: https://mail.python.org/mailman/options/python-dev/donald%40stufft.io


-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/python-dev/attachments/20131019/47ae1fba/attachment.sig>

More information about the Python-Dev mailing list