[Python-Dev] Issues in Python TLS (original) (raw)
Benjamin Peterson benjamin at python.org
Sat Aug 13 19:14:56 EDT 2016
- Previous message (by thread): [Python-Dev] Issues in Python TLS
- Next message (by thread): [Python-Dev] Issues in Python TLS
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Correctness of TLS certificate verification is known to depend deeply on distribution. Python began to verify certificates by default only in in version 2.7.9. Many OS distributions (in particular, Ubuntu) did not enable verification for their stable distributions for backwards compatibility reasons. You might find looking at distro bugs for CVE-2014-9365 edifying.
Thank you for your work.
On Sat, Aug 13, 2016, at 03:56, Mauri Miettinen wrote:
Hello,
We are experimenting with a tool for inspecting how well languages and libraries support server certificate verification when establishing TLS connections. We are getting rather confusing results in our first major shootout of bundled CPython 2 and 3 versions in major, still supported OS distributions. We would love to get any insight into the test stubs and results. Maybe we are doing something horribly wrong? Python 2 and 3 with Requests Our stub code: https://github.com/ouspg/trytls/blob/v0.2.1/stubs/python-requests/run.py <https://github.com/ouspg/trytls/blob/v0.2.1/stubs/python-requests/run.py> This is good news. All major distributions successfully check the TLS certificates in all corner cases tested by the TryTLS. It was good news that most distros also support SNI with this combination, the only exceptions being CentOS 6.8, Ubuntu 12.04.5 and Ubuntu 14.04. Python 2 with urllib2 Our stub code: https://github.com/ouspg/trytls/blob/v0.2.1/stubs/python-urllib2/run.py <https://github.com/ouspg/trytls/blob/v0.2.1/stubs/python-urllib2/run.py> Alpine Edge, Alpine 3.1, Debian 8.5, Fedora 24 and Ubuntu 16.04 pass with flying colors. On the other hand on CentOS 7.2 the test code accepts expired certificates, wrong hostnames, self-signed certificates and incomplete chains of trust. For CentOS 7.2 results see https://github.com/ouspg/trytls/tree/shootout-0.2/shootout/centos7#python-urllib2 <https://github.com/ouspg/trytls/tree/shootout-0.2/shootout/centos7#python-urllib2> It's worth noting that when any CA-bundle is given the situation improves. However, since the stub works on the most distributions as expected, this might be overlooked by the developers? Python 3 with urllib Our stub code: https://github.com/ouspg/trytls/blob/v0.2.1/stubs/python3-urllib/run.py Alpine Edge, CentOS 6.8, CentOS 7.2 and Ubuntu 16.04 pass with flying colors. On Debian 8.5, Ubuntu 14.04 and Ubuntu 12.04 the test code accepts expired certificates, wrong hostnames, self-signed certificates and incomplete chains of trust. For Debian 8.5 results see https://github.com/ouspg/trytls/tree/shootout-0.2/shootout/debian-latest#python3-urllib Again it is worth noting that if any CA-bundle is given then situation improves. Some experimentation we did with the test code suggests that:
_ _urllib.request.urlopen("<https://>" + host + ":" + port, cafile=None) ->_ _DANGEROUS?_ _urllib.request.urlopen("<https://>" + host + ":" + port) -> DANGEROUS?_ _urllib.request.urlopen("<https://>" + host + ":" + port, cafile=None,_ _cadefault=False) -> DANGEROUS?_ _urllib.request.urlopen("<https://>" + host + ":" + port, cafile="/anyfile",_ _cadefault=False) -> SAFE_ _urllib.request.urlopen("<https://>" + host + ":" + port, cafile=None,_ _cadefault=True) -> SAFE_ _urllib.request.urlopen("<https://>" + host + ":" + port, cadefault=True) ->_ _SAFE_ _urllib.request.urlopen("<https://>" + host + ":" + port, cafile="/anyfile")_ _-> SAFE_ _Summary Our results overview is available from: https://github.com/ouspg/trytls/tree/shootout-0.2/shootout <https://github.com/ouspg/trytls/tree/shootout-0.2/shootout> People developing Python code that uses TLS might bump into nasty surprises with how differently bundled Python versions behave between modern and supported distributions. Or are we just simply doing something horribly wrong? Any feedback would be very welcome, as will try to do an updated shootout with new TryTLS version next week. We would love to get as fair, clean and comparable results as possible. Moreover, if you can recommend any docs on proper "Do's and Don'ts" we'd love a link to them. Thank you very much, Mauri Miettinen
Python-Dev mailing list Python-Dev at python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/benjamin%40python.org
- Previous message (by thread): [Python-Dev] Issues in Python TLS
- Next message (by thread): [Python-Dev] Issues in Python TLS
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]