classification
Title: SSLContext doesn't support loading a CRL
Type: enhancement Stage: resolved
Components: Extension Modules, Library (Lib) Versions: Python 3.4
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: christian.heimes, dandrzejewski, dstufft, giampaolo.rodola, haypo, larry, ned.deily, pitrou, python-dev
Priority: normal Keywords: patch

Created on 2010-05-24 21:17 by haypo, last changed 2014-03-18 10:05 by haypo. This issue is now closed.

Files
File name Uploaded Description Edit
verify_flags_crl.patch christian.heimes, 2013-11-21 02:30 review
verify_flags_crl2.patch christian.heimes, 2013-11-21 18:12 review
Messages (27)
msg106393 - (view) Author: STINNER Victor (haypo) * (Python committer) Date: 2010-05-24 21:17
SSL Context should support loading a CRL. See M2Crypto patches:
https://bugzilla.osafoundation.org/show_bug.cgi?id=12954
https://bugzilla.osafoundation.org/show_bug.cgi?id=11694

Or PyOpenSSL branch supporting CRL:
https://launchpad.net/~rick-fdd/pyopenssl/crl_and_revoked
msg143358 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2011-09-01 21:41
Is it enough to just load a CRL file, or is other functionality usually needed?

The following APIs should help us do it:
- X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx);
- int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x);
- X509_CRL *d2i_X509_CRL_fp(FILE *fp,X509_CRL **crl);

And also for configuration (enable CRL checking on the context):
- X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx);
- int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags);
msg203170 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-11-17 14:24
Yes, you are right. OpenSSL uses the same API to load certs and CRLs. CRL checks must be enabled, though.
msg203562 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-11-21 02:30
The patch implements SSLContext.verify_flags in order to enable CRL checks. It comes with documentation, a unit test and a new CRL file.
msg203627 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-11-21 12:58
My patch is inspired by mod_ssl:

http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?view=markup#l697

CRLs can already be loaded with SSLContext.load_verify_locations(). The patch exposes the verification flags of SSLContext's X509_STORE. With X509_V_FLAG_CRL_CHECK OpenSSL requires (!) a CRL that matches the issuer of leaf certificate of the chain (the peer's cert). X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL also requires CRLs for all intermediate certs of the peer's cert chain.
msg203663 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-11-21 18:12
The new patch addresses your review. I have altered the new to FLAGS_NONE, FLAGS_CLR_CHECK_LEAF etc.
msg203664 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2013-11-21 18:22
That sounds too generic. How about VERIFY_CRL_NONE, etc.
msg203666 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-11-21 19:10
It *is* generic. The flags are not about CRL alone, http://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_flags.html#VERIFICATION_FLAGS
msg203678 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2013-11-21 21:59
> It *is* generic. The flags are not about CRL alone,

That's why I proposed VERIFY_xxx, e.g. VERIFY_CRL_NONE.

Calling some flags "FLAGS" is senseless, it's like calling an integer
"INTEGER".
msg203680 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-11-21 22:03
s/FLAGS_/VERIFY_/g ? OK, I don't have hard feelings. :)
msg203681 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2013-11-21 22:05
> s/FLAGS_/VERIFY_/g ? OK, I don't have hard feelings. :)

And VERIFY_NONE should be VERIFY_CRL_NONE IMO.
msg203688 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-11-21 22:45
But it's not about CRL alone. How about VERIFY_DEFAULT = 0 ?
msg203689 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2013-11-21 22:47
> But it's not about CRL alone. How about VERIFY_DEFAULT = 0 ?

Sounds good.
msg203691 - (view) Author: Roundup Robot (python-dev) Date: 2013-11-21 22:56
New changeset 83805c9d1f05 by Christian Heimes in branch 'default':
Issue #8813: Add SSLContext.verify_flags to change the verification flags
http://hg.python.org/cpython/rev/83805c9d1f05
msg203694 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-11-21 23:00
memo to me: add whatsnew entry
msg203895 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2013-11-22 21:49
This change seems to have broken the OS X 10.4 Tiger buildbot:

_ssl.c:2240: error: 'struct x509_store_st' has no member named 'param'
_ssl.c:2253: error: 'struct x509_store_st' has no member named 'param'
_ssl.c:2257: error: 'struct x509_store_st' has no member named 'param'
_ssl.c:2263: error: 'struct x509_store_st' has no member named 'param'

http://buildbot.python.org/all/builders/x86%20Tiger%203.x/builds/7370
msg203904 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-11-22 22:21
:(

I seriously need access to a Darwin or OSX box. This is the second time I broke the build on OSX.

Ned Deily <report@bugs.python.org> schrieb:
>
>Ned Deily added the comment:
>
>This change seems to have broken the OS X 10.4 Tiger buildbot:
>
>_ssl.c:2240: error: 'struct x509_store_st' has no member named 'param'
>_ssl.c:2253: error: 'struct x509_store_st' has no member named 'param'
>_ssl.c:2257: error: 'struct x509_store_st' has no member named 'param'
>_ssl.c:2263: error: 'struct x509_store_st' has no member named 'param'
>
>http://buildbot.python.org/all/builders/x86%20Tiger%203.x/builds/7370
>
>----------
>nosy: +ned.deily
>resolution: fixed -> 
>status: pending -> open
>
>_______________________________________
>Python tracker <report@bugs.python.org>
><http://bugs.python.org/issue8813>
>_______________________________________
msg203905 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2013-11-22 22:30
10.4 is *very* old:

$ /usr/bin/openssl version
OpenSSL 0.9.7l 28 Sep 2006

If you kept around that version of the headers and libs, you'd probably catch most of the problems.
msg203966 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2013-11-23 05:03
This problem also breaks the 32-bit OS X installer build.
msg203983 - (view) Author: Roundup Robot (python-dev) Date: 2013-11-23 10:24
New changeset 40d4be2b7258 by Christian Heimes in branch 'default':
Issue #8813: X509_VERIFY_PARAM is only available on OpenSSL 0.9.8+
http://hg.python.org/cpython/rev/40d4be2b7258
msg203984 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-11-23 10:40
The _ssl module compiles again with OpenSSL 0.9.7.
msg212998 - (view) Author: Roundup Robot (python-dev) Date: 2014-03-09 22:50
New changeset 1508c4c9e747 by R David Murray in branch 'default':
whatsnew: SSLContext.verify_flags and constants. (#8813)
http://hg.python.org/cpython/rev/1508c4c9e747
msg213920 - (view) Author: STINNER Victor (haypo) * (Python committer) Date: 2014-03-17 23:41
What is the status of this issue? Is it fixed or not?

The What's New in Python 3.4 document says that Python 3.4 can load CRL.
msg213951 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2014-03-18 09:41
Yes, Python 3.4 can load and use CRLs.
msg213952 - (view) Author: STINNER Victor (haypo) * (Python committer) Date: 2014-03-18 09:44
> Yes, Python 3.4 can load and use CRLs.

Great work Christian, I was expecting this feature since many years :-)
msg213953 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2014-03-18 09:47
It was *really* trivial. I just had to expose two simple OpenSSL APIs to enable / disable CRL. All versions of Python could already load the CRLs but CRL checks could not be enabled.
msg213954 - (view) Author: STINNER Victor (haypo) * (Python committer) Date: 2014-03-18 10:05
> It was *really* trivial. I just had to expose two simple OpenSSL APIs to enable / disable CRL.

It was trivial thanks to all the work done before around SSLContext. For example, Python 2.7 doesn't have SSLContext, so adding support for CRL in Python 2.7 is non-trivial :-/
History
Date User Action Args
2014-03-18 10:05:00hayposetmessages: + msg213954
2014-03-18 09:47:14christian.heimessetmessages: + msg213953
2014-03-18 09:44:37hayposetmessages: + msg213952
2014-03-18 09:41:38christian.heimessetstatus: open -> closed

messages: + msg213951
2014-03-17 23:41:04hayposetmessages: + msg213920
2014-03-09 22:50:26python-devsetstatus: pending -> open

messages: + msg212998
2013-11-23 10:40:55christian.heimessetpriority: release blocker -> normal
status: open -> pending
resolution: fixed
messages: + msg203984
2013-11-23 10:24:41python-devsetmessages: + msg203983
2013-11-23 05:03:19ned.deilysetpriority: normal -> release blocker
nosy: + larry
messages: + msg203966

2013-11-22 22:30:39ned.deilysetmessages: + msg203905
2013-11-22 22:21:54christian.heimessetmessages: + msg203904
2013-11-22 21:49:09ned.deilysetstatus: pending -> open

nosy: + ned.deily
messages: + msg203895

resolution: fixed -> (no value)
2013-11-21 23:00:45christian.heimessetstatus: open -> pending
messages: + msg203694

assignee: christian.heimes
resolution: fixed
stage: patch review -> resolved
2013-11-21 22:56:22python-devsetnosy: + python-dev
messages: + msg203691
2013-11-21 22:47:17pitrousetmessages: + msg203689
2013-11-21 22:45:17christian.heimessetmessages: + msg203688
2013-11-21 22:05:32pitrousetmessages: + msg203681
2013-11-21 22:03:27christian.heimessetmessages: + msg203680
2013-11-21 21:59:00pitrousetmessages: + msg203678
2013-11-21 19:10:52christian.heimessetmessages: + msg203666
2013-11-21 18:22:21pitrousetmessages: + msg203664
2013-11-21 18:12:40christian.heimessetfiles: + verify_flags_crl2.patch

messages: + msg203663
2013-11-21 12:58:05christian.heimessetmessages: + msg203627
2013-11-21 02:30:22christian.heimessetfiles: + verify_flags_crl.patch
keywords: + patch
messages: + msg203562

stage: needs patch -> patch review
2013-11-17 14:24:45christian.heimessetmessages: + msg203170
2013-08-24 22:42:47dstufftsetnosy: + dstufft
2013-07-08 12:22:02christian.heimessetnosy: + christian.heimes

components: + Extension Modules
versions: + Python 3.4, - Python 3.3
2011-10-05 19:26:10dandrzejewskisetnosy: + dandrzejewski
2011-09-01 21:41:22pitrousetstage: needs patch
messages: + msg143358
versions: + Python 3.3, - Python 3.2
2010-05-24 21:54:50giampaolo.rodolasetnosy: + giampaolo.rodola
2010-05-24 21:28:09pitrousettype: enhancement
2010-05-24 21:17:17hayposetnosy: + pitrou
2010-05-24 21:17:08haypocreate