[Python-Dev] Simplify and unify SSL verification (original) (raw)
Christian Heimes christian at python.org
Fri Nov 8 01:02:33 CET 2013
- Previous message: [Python-Dev] Simplify and unify SSL verification
- Next message: [Python-Dev] [Python-checkins] cpython: Fix _Py_normalize_encoding(): ensure that buffer is big enough to store "utf-8"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Somehow your mail didn't end up on Python-dev
Am 08.11.2013 00:38, schrieb Nick Coghlan:
In that case, it sounds like you need two new options rather than one. "verifyhostname", with the None/True/False behaviour and a separate postverify hook.
Mmmh, yes, you are making an intriguing point. Two different options are easier to understand and more powerful.
It contains the word verify, but if I'm correct in thinking you intend for the new callback to be invoked only if the checks specified by verifymode pass, then I would suggest "postverify", and skip adding the separate method.
The tests specified by verify_mode are done by OpenSSL during the protocol handshake. The SSLSocket object has no peer, peer cert and transport information before the hand shake is done. So yes, these checks are always done before Python can match the hostname of the peer's cert and before the postverify hook can run.
OpenSSL has a verify callback hook that is called for each certificate in the trust chain starting with the peer cert up to a root cert. This callback is too low level and too complex to be useful for the majority of users. Python would also have to gain wrappers for X509_STORE and X509_STORE_CTX objects... You don't want to know the difference :)
- Previous message: [Python-Dev] Simplify and unify SSL verification
- Next message: [Python-Dev] [Python-checkins] cpython: Fix _Py_normalize_encoding(): ensure that buffer is big enough to store "utf-8"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]