This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author pitrou
Recipients Ryan.Tucker, ahasenack, asdfasdfasdfasdfasdfasdfasdf, debatem1, devin, giampaolo.rodola, heikki, janssen, jsamuel, kiilerix, orsenthil, pitrou, vila, zooko
Date 2010-10-04.10:37:07
SpamBayes Score 0.00017551697
Marked as misclassified No
Message-id <1286188623.3178.9.camel@localhost.localdomain>
In-reply-to <1286153571.56.0.333502733747.issue1589@psf.upfronthosting.co.za>
Content 
Hello,

> I added some extra verification to Mercurial
> (http://www.selenic.com/hg/rev/f2937d6492c5). Feel free to use the
> following under the Python license in Python or elsewhere. It could be
> a separate method/function or it could integrated in wrap_socket and
> controlled by a keyword. I would appreciate if you find the
> implementation insufficient or incorrect.

Thank you, I'll take a look!

> Are CRLs checked by the SSL module? Otherwise it deserves a big fat
> warning.

They are not, but AFAIK most browsers don't check CRLs either...
(or, rather they don't download updated CRLs)

> (I now assume that notBefore is handled by the SSL module and
> shouldn't be checked here.)

I can't say for sure, but OpenSSL seems to handle both notBefore and
notAfter as part of its cert verification routine (see interval_verify()
and cert_check_time() in crypto/x509/x509_vfy.c).
History
Date User Action Args
2010-10-04 10:37:11pitrousetrecipients: + pitrou, zooko, janssen, orsenthil, giampaolo.rodola, vila, heikki, ahasenack, kiilerix, debatem1, jsamuel, devin, asdfasdfasdfasdfasdfasdfasdf, Ryan.Tucker
2010-10-04 10:37:08pitroulinkissue1589 messages
2010-10-04 10:37:07pitroucreate