The attached patch adds client-side cert support to httplib, as well as 
validation. Rather than just commit this, I would like to have additional 
review.

Also, ideally this could be added to 2.6 maint (it seems like a pretty big 
hole) as well as 2.7/3.0. The patch is against 2.6 maint.

And yes, I need to finish the doc patch.

> The attached patch adds client-side cert support to httplib, as well as 
> validation. Rather than just commit this, I would like to have additional 
> review.

I wouldn't call the feature "client-side cert support" - client
certificates are already supported, and had been for a long time.

What you are adding to httplib is server certificate validation.

I find the patch incomplete, for formal and semantical reasons:
a) it doesn't come with documentation or test suite changes, and
b) it doesn't implement the typical certificate checks that browsers
   do, beyond validating that the certificate is valid - e.g. also
   validating that the certificate is issued to the host you are trying
   to connect to.

API-wise, I'm not sure what the point of passing cert_reqs as a
parameter is - ISTM that, in httplib, if ca_certs is not None, then
cert_reqs should automatically be CERT_REQUIRED (just like it is
in get_server_certificate).

> Also, ideally this could be added to 2.6 maint (it seems like a pretty big 
> hole) 

It's a new feature, so it shouldn't be added to 2.6. Not sure what you
mean by "big hole".

On Jun 12, 2009, at 5:00 PM, Martin v. Löwis <report@bugs.python.org>  
wrote:

>
> Martin v. Löwis <martin@v.loewis.de> added the comment:
>
>> The attached patch adds client-side cert support to httplib, as  
>> well as
>> validation. Rather than just commit this, I would like to have  
>> additional
>> review.
>
> I wouldn't call the feature "client-side cert support" - client
> certificates are already supported, and had been for a long time.
>
> What you are adding to httplib is server certificate validation.
>
> I find the patch incomplete, for formal and semantical reasons:
> a) it doesn't come with documentation or test suite changes, and
> b) it doesn't implement the typical certificate checks that browsers
>   do, beyond validating that the certificate is valid - e.g. also
>   validating that the certificate is issued to the host you are trying
>   to connect to.
>
> API-wise, I'm not sure what the point of passing cert_reqs as a
> parameter is - ISTM that, in httplib, if ca_certs is not None, then
> cert_reqs should automatically be CERT_REQUIRED (just like it is
> in get_server_certificate).
>
>> Also, ideally this could be added to 2.6 maint (it seems like a  
>> pretty big
>> hole)
>
> It's a new feature, so it shouldn't be added to 2.6. Not sure what you
> mean by "big hole".
>

Thanks, that's why I filed the ticket, it's my first foray into  
patching httplib - I'll go back to the patch drawing board!

I'm going to close this until I come up with a more complete patch, and 
target it for 2.7. No reason to keep this in the tracker as-is