Issue 1581: xmlrpclib.ServerProxy() doesn't use x509 data (original) (raw)
Created on 2007-12-10 19:41 by ahasenack, last changed 2022-04-11 14:56 by admin. This issue is now closed.
Messages (9)
Author: Andreas Hasenack (ahasenack)
Date: 2007-12-10 19:41
I was trying to use xmlrpclib.ServerProxy() with https and client certificate validation (I know httplib doesn't do server certificate validation yet). I found no way to pass on host/uri as a (host,x509_dict) tuple as the connection methods support, so I came up with this patch.
Author: Guido van Rossum (gvanrossum) * 
Date: 2007-12-10 19:53
This should be considered for 2.6, not 2.5 (which is in feature freeze).
I'm hoping Bill Janssen can review this.
Author: Martin v. Löwis (loewis) *
Date: 2007-12-10 22:16
I would like to ask the submitter to review the code himself for suitability in 2.6. The underlying API has been extended a lot, so it's unlikely that this patch is still the best choice.
Author: Andreas Hasenack (ahasenack)
Date: 2007-12-11 12:52
The only difference between xmlrpclib.py from trunk and 2.5.1 is in the Marshaller class. Unrelated, as far as I can see.
Note that it seems that the intent of the original code was to support this x509-dict all along:
$ grep -n x509 xmlrpclib.py.trunk 1224: # Host may be a string, or a (host, x509-dict) tuple; if a string, 1228: # @param host Host descriptor (URL or (URL, x509 info) tuple). 1230: # x509 info). The header and x509 fields may be None. 1234: x509 = {} 1236: host, x509 = host 1251: return host, extra_headers, x509 1262: host, extra_headers, x509 = self.get_host_info(host) 1282: host, extra_headers, x509 = self.get_host_info(host) 1362: # host may be a string, or a (host, x509-dict) tuple 1364: host, extra_headers, x509 = self.get_host_info(host) 1372: return HTTPS(host, None, **(x509 or {}))
Basically just the ServerProxy constructor doesn't support it. One would have to create a new class with a new constructor just because of it. That's why I opened this ticket.
Author: Sean Reifschneider (jafo) *
Date: 2008-03-18 00:32
This patch also needs to include a patch to the documentation.
Martin: Do you agree with the discussion on the changes for 2.6?
Author: Bill Janssen (janssen) *
Date: 2008-03-18 16:53
Looking at this patch, I definitely agree with the need for documentation. And a test case which uses the SafeTransport class. But the patch itself also needs a bit more work. (It uses httplib.HTTPS underneath, and that needs more work, too.) At a minimum, the caller should be able to optionally specify somehow, either as a contructor arg, or otherwise (a module-global variable, perhaps), a set of certificate-authority root certs, which, if specified, would cause client-side validation of the server's certificate. I think this should be added as an optional constructor arg to the HTTPS class.
Author: Guido van Rossum (gvanrossum) *
Date: 2008-03-18 21:02
Let's tentatively say this needs to go into 2.6. Bill, if in the end you decide against it, just reject the patch.
Author: Bill Janssen (janssen) *
Date: 2008-03-19 00:35
No test case. No provision for client validation of server certificate.
Author: Benjamin Peterson (benjamin.peterson) *
Date: 2008-07-31 02:00
I assume you wanted to close this too.
History
Date
User
Action
Args
2022-04-11 14:56:28
admin
set
github: 45922
2008-07-31 02:00:17
benjamin.peterson
set
status: open -> closed
nosy: + benjamin.peterson
messages: +
2008-03-19 00:35:13
janssen
set
resolution: rejected
messages: +
2008-03-18 21:02:15
gvanrossum
set
priority: critical
messages: +
versions: + Python 2.6, - Python 2.5
2008-03-18 16:53:02
janssen
set
messages: +
2008-03-18 00:32:53
jafo
set
nosy: + jafo
messages: +
2007-12-11 12:52:28
ahasenack
set
messages: +
2007-12-10 22:16:57
loewis
set
nosy: + loewis
messages: +
2007-12-10 19:53:27
gvanrossum
set
assignee: janssen
messages: +
nosy: + gvanrossum, janssen
2007-12-10 19:41:26
ahasenack
create