[Python-Dev] SSL Certificate Validation (original) (raw)

Devin Cook devin.c.cook at gmail.com
Tue Jun 16 23:31:23 CEST 2009

But I really do believe that this is what he need to do next: familiarize himself with OpenSSL. There is a lot of APIs in that library, and it takes a while (i.e.: several months) to get productive, in particular since OpenSSL doesn't have the most intuitive API.

Well, I realized this as soon as I looked at the _ssl.c code... I was just hoping that someone would be able to give me a quick clarification on exactly what gets validated. If it's just the chain (which is what I suspect), I would like to submit a patch that does the rest of the validation (that a browser typically does: CN/hostname, NotBefore, NotAfter, etc.) in the ssl module. I was also hoping to find out what the consensus is about this: mainly, should that verification be done in the ssl module? Maybe this verification should somehow be done in OpenSSL, which would mean that I need to do a LOT more reading and go pester their mailing list instead.

This is for issue 6273 ( http://bugs.python.org/issue6273 ). In your reply to that issue, it seemed to me like you were saying that these things were not getting checked in the ssl module (and, therefore, not in OpenSSL either):

I find the patch incomplete, for formal and semantical reasons: a) it doesn't come with documentation or test suite changes, and b) it doesn't implement the typical certificate checks that browsers do, beyond validating that the certificate is valid - e.g. also validating that the certificate is issued to the host you are trying to connect to.

I would like to do validation of server certificates in a project I'm working on, and I figured it would be better to be proactive and try to help create a patch than to just sit back and complain about it. It seems to me that this is a bug that you can't do peer certificate validation in httplib.

If this isn't the place to ask these kinds of questions, I apologise. I can take the discussion elsewhere if I need to.

Thanks, -Devin

More information about the Python-Dev mailing list