Message 58547 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	janssen
Recipients	ahasenack, janssen
Date	2007-12-13.18:10:26
SpamBayes Score	0.00021942377
Marked as misclassified	No
Message-id	<4b3e516a0712131010oc47455ev7d342a3c0ceff2d0@mail.gmail.com>
In-reply-to	<1197558870.27.0.0210737785058.issue1589@psf.upfronthosting.co.za>

Content
The mechanism is there for direct use of the SSL module, yes. But the question is, what should indirect usage, like the httplib or urllib modules, do? If they are going to check hostnames on use of an https: URL, they need some way to pass a ca_certs file through to the SSL code they use. Bill On Dec 13, 2007 7:14 AM, Andreas Hasenack <report@bugs.python.org> wrote: > > Andreas Hasenack added the comment: > > > do it automatically. Unfortunately, that means that client-side > certificate > > verification has to be done (it's pointless to look at the data in > > unverified certificates), and that means that the client software has to > > have an appropriate collection of root certificates to verify against. > I > > But the current API already has this feature: > ssl_sock = ssl.wrap_socket(s, ca_certs="/etc/pki/tls/rootcerts/%s" % cert, > cert_reqs=ssl.CERT_REQUIRED) > > So this is already taken care of with ca_certs and cert_reqs, right? > > __________________________________ > Tracker <report@bugs.python.org> > <http://bugs.python.org/issue1589> > __________________________________ >

The mechanism is there for direct use of the SSL module, yes.  But the
question is, what should indirect usage, like the httplib or urllib modules,
do?  If they are going to check hostnames on use of an https: URL, they need
some way to pass a ca_certs file through to the SSL code they use.

Bill

On Dec 13, 2007 7:14 AM, Andreas Hasenack <report@bugs.python.org> wrote:

>
> Andreas Hasenack added the comment:
>
> > do it automatically.  Unfortunately, that means that client-side
> certificate
> > verification has to be done (it's pointless to look at the data in
> > unverified certificates), and that means that the client software has to
> > have an appropriate collection of root certificates to verify against.
>  I
>
> But the current API already has this feature:
> ssl_sock = ssl.wrap_socket(s, ca_certs="/etc/pki/tls/rootcerts/%s" % cert,
>                      cert_reqs=ssl.CERT_REQUIRED)
>
> So this is already taken care of with ca_certs and cert_reqs, right?
>
> __________________________________
> Tracker <report@bugs.python.org>
> <http://bugs.python.org/issue1589>
> __________________________________
>

Files
File name	Uploaded
unnamed	janssen, 2007-12-13.18:10:26

History
Date	User	Action	Args
2007-12-13 18:10:26	janssen	set	spambayes_score: 0.000219424 -> 0.00021942377 recipients: + janssen, ahasenack
2007-12-13 18:10:26	janssen	link	issue1589 messages
2007-12-13 18:10:26	janssen	create