Message 89302 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	loewis
Recipients	jnoller, loewis
Date	2009-06-12.21:00:30
SpamBayes Score	5.643806e-10
Marked as misclassified	No
Message-id	<4A32C1EA.2040504@v.loewis.de>
In-reply-to	<1244825028.47.0.339555934683.issue6273@psf.upfronthosting.co.za>

Content
> The attached patch adds client-side cert support to httplib, as well as > validation. Rather than just commit this, I would like to have additional > review. I wouldn't call the feature "client-side cert support" - client certificates are already supported, and had been for a long time. What you are adding to httplib is server certificate validation. I find the patch incomplete, for formal and semantical reasons: a) it doesn't come with documentation or test suite changes, and b) it doesn't implement the typical certificate checks that browsers do, beyond validating that the certificate is valid - e.g. also validating that the certificate is issued to the host you are trying to connect to. API-wise, I'm not sure what the point of passing cert_reqs as a parameter is - ISTM that, in httplib, if ca_certs is not None, then cert_reqs should automatically be CERT_REQUIRED (just like it is in get_server_certificate). > Also, ideally this could be added to 2.6 maint (it seems like a pretty big > hole) It's a new feature, so it shouldn't be added to 2.6. Not sure what you mean by "big hole".

> The attached patch adds client-side cert support to httplib, as well as 
> validation. Rather than just commit this, I would like to have additional 
> review.

I wouldn't call the feature "client-side cert support" - client
certificates are already supported, and had been for a long time.

What you are adding to httplib is server certificate validation.

I find the patch incomplete, for formal and semantical reasons:
a) it doesn't come with documentation or test suite changes, and
b) it doesn't implement the typical certificate checks that browsers
   do, beyond validating that the certificate is valid - e.g. also
   validating that the certificate is issued to the host you are trying
   to connect to.

API-wise, I'm not sure what the point of passing cert_reqs as a
parameter is - ISTM that, in httplib, if ca_certs is not None, then
cert_reqs should automatically be CERT_REQUIRED (just like it is
in get_server_certificate).

> Also, ideally this could be added to 2.6 maint (it seems like a pretty big 
> hole) 

It's a new feature, so it shouldn't be added to 2.6. Not sure what you
mean by "big hole".

History
Date	User	Action	Args
2009-06-12 21:00:31	loewis	set	recipients: + loewis, jnoller
2009-06-12 21:00:30	loewis	link	issue6273 messages
2009-06-12 21:00:30	loewis	create