Issue1115631
Created on 2005-02-03 18:42 by noonian, last changed 2005-02-04 19:52 by tjreedy.
|
|
msg47652 - (view) |
Author: James Eagan (noonian) |
Date: 2005-02-03 18:42 |
|
One line summary: adds certificate validation to the SSL module
and programmer-level hooks to control how and whether
certificate validation is performed.
Details:
The current SSL implementation in python goes through the
motions of negotiating an SSL connection, but never validates the
certificates exchanged. This is like going through the motions of
checking someone's photo id, but never making sure the picture
matches the person you're talking to. This patch fixes that.
This patch adds 3 module-level variables to the socket module,
which get exposed iff ssl is built in. These variables (ssl_ca_file,
ssl_ca_path, and ssl_verify_level) provide programmer-level
access to the certificate authorities database and to control what
level of certificate verification is performed (by default, none, as is
the current behavior).
If certificate verification is enabled, then one of the two certificate
authority parameters must be set to a valid certificate authority
database or all certificate verification operations will fail. I have
an example certificate authority database (extracted from the Java
keystore) that I can provide, but I'm not sure how to contribute
that through the patch mechanism.
Cheers!
James Eagan
|
|
msg47653 - (view) |
Author: Steve Holden (holdenweb) |
Date: 2005-02-03 18:48 |
|
Logged In: YES
user_id=88157
How does this differ from 1114345?
|
|
msg47654 - (view) |
Author: James Eagan (noonian) |
Date: 2005-02-03 19:00 |
|
Logged In: YES
user_id=31389
Uh, it doesn't. It was a user error/refresh bug with me and my web
browser. Sorry 'bout that.
|
|
msg47655 - (view) |
Author: Terry J. Reedy (tjreedy) |
Date: 2005-02-04 19:52 |
|
Logged In: YES
user_id=593130
So please close this one as 'duplicate' or the closest thing
thereto, such as 'invalid'.
|
|
| Date |
User |
Action |
Args |
| 2005-02-03 18:42:57 | noonian | create | |
|
