I've decided to post here the patch proposed by Ed Phillips, since I think it's simple addition to the socket.ssl that will drastically increase its usefullness... The point of the patch is for a socket.ssl object to check the certificate received by the peer. http://mail.python.org/pipermail/python-list/2003-July/174933.html
Logged In: YES user_id=21627 I think you are mis-interpreting the purpose of the key_file and cert_file arguments. They do *not* indicate the certificate of the trusted CAs, but provide the key and certificate of the *client*. By re-interpreting the cert_file as the file of the trusted CAs, you break client-side authentication. Therefore, i reject this patch. That said, I do agree that checking server-side certificates is a useful think, so I encourage you to provide a new patch which does that, e.g. by adding a certificate_chain_file argument (or some such).
This should be reopened. Just because the proposed fix didn't work is no reason to close the defect report. Currently, Python will accept the following totally bogus certificate (from www.amaison.co.uk) as valid: C = -- ST = SomeState L = SomeCity O = SomeOrganization OU = SomeOrganizationalUnit CN = localhost.localdomain emailAddress = root@localhost.localdomain Issuer identity: C = -- ST = SomeState L = SomeCity O = SomeOrganization OU = SomeOrganizationalUnit CN = localhost.localdomain emailAddress = root@localhost.localdomain
This was a patch submission, asking that the proposed patch is integrated. I rejected the patch, and the issue is done. If you want to report a bug, please do so as a separate issue (you may include a patch also, but then the description should clearly state what the bug is - this issue doesn't). Of course, as a bug report, it may stay open unreviewed for several years if no patch is contributed that fixes it.
