[Python-Dev] PEP 476: Enabling certificate validation by default! (original) (raw)

Christian Heimes christian at python.org
Wed Sep 3 00:41:46 CEST 2014

• Previous message: [Python-Dev] PEP 476: Enabling certificate validation by default!
• Next message: [Python-Dev] Bug 19494 ... urllib2.HTTPBasicAuthHandler for GitHub et al.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 02.09.2014 23:32, Antoine Pitrou wrote:

Furthermore, "disable verification" is a nonsensical thing to do with TLS. It's not. For example, if you have an expired cert, all you can do AFAIK is to disable verification.

It's possible to ignore or just warn about expired certs with simple verify callback. The callback looks like this:

int verify_callback(int ok, X509_STORE_CTX *ctx) { if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_CERT_HAS_EXPIRED) return 1; return ok; }

It's installed like this:

PySSLContext *self;
X509_STORE *store = SSL_CTX_get_cert_store(self->ctx);
X509_STORE_set_verify_cb(store, verify_callback);

The X509_STORE_CTX struct is created when a certificate chain is verified. It holds all sorts of states like chain, leaf cert, current cert that is tested, validation depth, error flags and more. In order to write useful verify callbacks me or somebody else has to write a X509_STORE_CTX type and X509 cert type. It's something I want to do for more than a year but I don't find any spare time. :(

Christian

• Previous message: [Python-Dev] PEP 476: Enabling certificate validation by default!
• Next message: [Python-Dev] Bug 19494 ... urllib2.HTTPBasicAuthHandler for GitHub et al.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list