Message 115166 - Python tracker (original) (raw)

There are various errors I think ssl module should check. In the examples below I'll always refer to ssl.wrap_socket() function but I expect that ssl.SSLContext suffers the exact same issues.

=== server side mode ===

When server_side option is set to True it is always required that at least a certfile argument is specified. This condition is not verified if the socket is still not connected:

ssl.wrap_socket(socket.socket(), server_side=1) <ssl.SSLSocket object, fd=3, family=2, type=1, proto=0>

...later on, when the socket will be connected, we'll get this message:

SSLError: _ssl.c:296: Both the key & certificate files must be specified for server-side operation

I would change this behavior in SSLSocket constructor and raise ValueError if server_side is True and certfile is None. Also, the message coming from the C code should be adjusted to state than keyfile argument is not mandatory.

=== server side on connect ===

s = ssl.wrap_socket(socket.socket(), server_side=1) s.connect(('blogger.com', 443))

For consistency I would expect something like ValueError("can't connect in server-side mode") on connect().

=== no such certfile ===

os.path.exists('xxx') False ssl.wrap_socket(socket.socket(), certfile='xxx') Traceback (most recent call last): File "", line 1, in File "/home/giampaolo/svn/python-3.2/Lib/ssl.py", line 404, in wrap_socket ciphers=ciphers) File "/home/giampaolo/svn/python-3.2/Lib/ssl.py", line 132, in init self.context.load_cert_chain(certfile, keyfile) ssl.SSLError: [Errno 336445442] _ssl.c:1604: error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib

A simple "IOError No such file or directory 'xxx'" exception would be a lot more clear.

=== invalid certfile ===

open('foo', 'w').write('blabla') 6 ssl.wrap_socket(socket.socket(), certfile="foo") Traceback (most recent call last): File "", line 1, in File "/home/giampaolo/svn/python-3.2/Lib/ssl.py", line 404, in wrap_socket ciphers=ciphers) File "/home/giampaolo/svn/python-3.2/Lib/ssl.py", line 132, in init self.context.load_cert_chain(certfile, keyfile) ssl.SSLError: [Errno 336445449] _ssl.c:1604: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib

If possible, the error should be more clear about what happened. Something like "malformed certfile was provided" or something.