Message 242781 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	christian.heimes
Recipients	alex, barry, bkabrda, christian.heimes, doko, dstufft, janssen, lemburg, ncoghlan, pitrou, r.david.murray, rkuska, vstinner
Date	2015-05-08.22:14:38
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1431123278.42.0.615455343741.issue23857@psf.upfronthosting.co.za>
In-reply-to

Content
Please let me join the party. :) Like Antoine and Donald I'm against an option to disable certificate validation. I truly believe it's the wrong approach for the problem. Users don't want to disable security checks either. They disable the check because a SSL verification error is disruptive and they want to get on with their lives. Because with Python they have no other easy option they take the quick and easy path. Yoda's voice If you end SSL verification now - if you choose the quick and easy path as others did - you will become an agent of evil. I like to suggest a better way. Let's handle cert checks like Firefox or OpenSSH. Both give you the option to trust an unknown certificate for a specific host name and remember this trust, too. Let's add a feature to do the same with Python. Yes, it would require more work, additional features and careful engineering. But I strongly believe it's the better approach. Rough design idea: $ python ssl trustcert https://192.168.42.1 This command retrieves the cert from 192.168.42.1:443 and stores the mapping of 192.168.42.1 to SPKI sha512 hash in a file/directory relative sys.prefix. When a ssl._create_stdlib_context() context gets a verification error, then it checks the file for the hostname and SPKI hash of the leaf certificate. This features requires access to SPKI as DER and a proper verify_cb callback function. Disclaimer: I have code for the first feature and a plan for the second.

Please let me join the party. :)

Like Antoine and Donald I'm against an option to disable certificate validation. I truly believe it's the wrong approach for the problem. 

Users don't *want* to disable security checks either. They disable the check because a SSL verification error is disruptive and they want to get on with their lives. Because with Python they have no other easy option they take the quick and easy path. *Yoda's voice* If you end SSL verification now - if you choose the quick and easy path as others did - you will become an agent of evil.

I like to suggest a better way. Let's handle cert checks like Firefox or OpenSSH. Both give you the option to trust an unknown certificate for a specific host name and remember this trust, too. Let's add a feature to do the same with Python. Yes, it would require more work, additional features and careful engineering. But I strongly believe it's the better approach.

Rough design idea:

$ python ssl trustcert https://192.168.42.1

This command retrieves the cert from 192.168.42.1:443 and stores the mapping of 192.168.42.1 to SPKI sha512 hash in a file/directory relative sys.prefix.

When a ssl._create_stdlib_context() context gets a verification error, then it checks the file for the hostname and SPKI hash of the leaf certificate.

This features requires access to SPKI as DER and a proper verify_cb callback function. Disclaimer: I have code for the first feature and a plan for the second.

History
Date	User	Action	Args
2015-05-08 22:14:38	christian.heimes	set	recipients: + christian.heimes, lemburg, barry, doko, ncoghlan, janssen, pitrou, vstinner, alex, r.david.murray, bkabrda, dstufft, rkuska
2015-05-08 22:14:38	christian.heimes	set	messageid: <1431123278.42.0.615455343741.issue23857@psf.upfronthosting.co.za>
2015-05-08 22:14:38	christian.heimes	link	issue23857 messages
2015-05-08 22:14:38	christian.heimes	create