[Python-Dev] pip SSL (original) (raw)

Christian Heimes christian at python.org
Sat Oct 19 17:52:48 CEST 2013

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

Am 19.10.2013 16:59, schrieb Nick Coghlan:

It's the cert verification in pip that's relevant - the PEP was updated so that ensurepip itself never talks to the internet. So I guess that would mean checking the cert verification in pip's vendored copy of requests: https://github.com/pypa/pip/tree/develop/pip/vendor/requests

(So I guess if you do find any issues, they would likely be applicable to the upstream requests package as well)

Oh heck, where should I start?

The cacert.pem file is outdated. Also it's unclear who has generated the file and how it was generated from certdata.txt. It may very well contain revoked certificates, too. You can find the latest version of the file at

http://hg.mozilla.org/mozilla-central/file/tip/security/nss/lib/ckfw/builtins/certdata.txt

. A proper tool is required to generate a correct PEM file. It must understand ALL fields. I have some code for that but it's not ready yet.

pip uses requests and requests rolls its own code for or on top of Python stdlib modules, e.g. urllib3 with ssl_match_hostname. The method has the same security flaw as Python's ssl.match_hostname() function for IDNs. I'm a bit worried that we have to review and validate all 3rd party packages and copies of stdlib modules for issues.

The assert_fingerprint() function looks kinda funny. It uses sha1() or md5() on the DER representation of the cert. It's not how you are suppose to take fingerprints for cert pinning. But Python's ssl has no way to get the SPKI from the cert yet. I'm working on that as well. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCgAGBQJSYqrBAAoJEMeIxMHUVQ1FeSAP/3C4g3Sp6Fg976C5eihDpuLo VKB83nf708iwR990lJ6AYAiHDRjwVk6ssgYX4EfA3qQqjiAOykIQKZYcYrBA36lT FDn3gIXkh6x1QnwEOopGqrdbhSbDqPB57zRAZrmzJp8JTvOx4FYVgmx6bi2yumst w2m+ovWjxzUOlr1V7LM2/vzxSJXLyg+Espps3kDgX96qZvHXCfn/M39Y5R39on7v Er3qmD5aHEOnVnA1cH/OC7O8uJm8dPrm7wocztErZWyy006chW2B8edvFpjW8iEn StYxNw7Ko6jr2ncCwAKntVavGRtbHJowaF4l4yTCZ6suCx+LAzy7O+X90Ic1LknN o/RLSfJeyhUOHpADwloKfjRuPk2twq46z96GauoFBThaBCca7mRS29EudWG54Dn1 tT1/7+b3FfiU1GmWqzTpxgrJiRREk+XTEVCmhq2XUdBnGQI7G6RT9BefVfYzep06 Z0hKWdIR2moC21iPcBMIOnXqscaMHjvcVOnScv05UiE5et0fB8lAfoZJ9u1G5UC4 vkifZpfOfCDMh3HXSCiRp2TEUo/GPy35P/8Tk1O602nGj3oRxPJ1fdOlIexu+9bV S/kGwMjhyLQHDp0786AwDnv/NNOK6hJHCiZLLqX6F0+K4RdlRRd/6lVvyxKGT8ca OXxoornL8iyvEnyti7cq =BTNE -----END PGP SIGNATURE-----

More information about the Python-Dev mailing list