[Python-Dev] SSL Certificate Validation (original) (raw)
Bill Janssen janssen at parc.com
Tue Jun 16 23:45:14 CEST 2009
- Previous message: [Python-Dev] SSL Certificate Validation
- Next message: [Python-Dev] SSL Certificate Validation
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Devin Cook <devin.c.cook at gmail.com> wrote:
Also, I have looked through the docs and code, but haven't been able to figure out exactly what is included in certificate "validation". Is it just validating the chain? Does it check the NotBefore and NotAfter dates?
I believe so, but you'll have to check the OpenSSL code.
Does it check that the host the socket is connected to is the same as what's given in the CN field in the certificate?
No. That, in general, doesn't work very well. The IETF working group on this is considering deprecating putting a hostname in the CN field at all, and just adding hostnames via the subjectAltName extension. The problem that's come up is that many computers don't have fixed IP addresses, and even with that the hostname is part of a different mapping of hostnames to IP addresses, which can also vary.
I think that when the https: protocol scheme was written, it seemed like a good idea, but conventions on the Internet have changed a lot since then.
Where I'm going with this is I think all this checking needs to be part of certificate validation in the ssl module.
I don't think so. I put in hooks to let you do this in user code if you need to. See the archives for more discussion on this -- I'm not going to rehash it again.
(This is really a question for OpenSSL mailing lists, or perhaps python-list.)
Bill
- Previous message: [Python-Dev] SSL Certificate Validation
- Next message: [Python-Dev] SSL Certificate Validation
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]