Message 89305 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	jnoller
Recipients	jnoller, loewis
Date	2009-06-12.22:37:55
SpamBayes Score	1.9491592e-10
Marked as misclassified	No
Message-id	<48D73D90-9EED-4E07-A6BB-5C443B86093B@gmail.com>
In-reply-to	<4A32C1EA.2040504@v.loewis.de>

Content
On Jun 12, 2009, at 5:00 PM, Martin v. Löwis <report@bugs.python.org> wrote: > > Martin v. Löwis <martin@v.loewis.de> added the comment: > >> The attached patch adds client-side cert support to httplib, as >> well as >> validation. Rather than just commit this, I would like to have >> additional >> review. > > I wouldn't call the feature "client-side cert support" - client > certificates are already supported, and had been for a long time. > > What you are adding to httplib is server certificate validation. > > I find the patch incomplete, for formal and semantical reasons: > a) it doesn't come with documentation or test suite changes, and > b) it doesn't implement the typical certificate checks that browsers > do, beyond validating that the certificate is valid - e.g. also > validating that the certificate is issued to the host you are trying > to connect to. > > API-wise, I'm not sure what the point of passing cert_reqs as a > parameter is - ISTM that, in httplib, if ca_certs is not None, then > cert_reqs should automatically be CERT_REQUIRED (just like it is > in get_server_certificate). > >> Also, ideally this could be added to 2.6 maint (it seems like a >> pretty big >> hole) > > It's a new feature, so it shouldn't be added to 2.6. Not sure what you > mean by "big hole". > Thanks, that's why I filed the ticket, it's my first foray into patching httplib - I'll go back to the patch drawing board!

On Jun 12, 2009, at 5:00 PM, Martin v. Löwis <report@bugs.python.org>  
wrote:

>
> Martin v. Löwis <martin@v.loewis.de> added the comment:
>
>> The attached patch adds client-side cert support to httplib, as  
>> well as
>> validation. Rather than just commit this, I would like to have  
>> additional
>> review.
>
> I wouldn't call the feature "client-side cert support" - client
> certificates are already supported, and had been for a long time.
>
> What you are adding to httplib is server certificate validation.
>
> I find the patch incomplete, for formal and semantical reasons:
> a) it doesn't come with documentation or test suite changes, and
> b) it doesn't implement the typical certificate checks that browsers
>   do, beyond validating that the certificate is valid - e.g. also
>   validating that the certificate is issued to the host you are trying
>   to connect to.
>
> API-wise, I'm not sure what the point of passing cert_reqs as a
> parameter is - ISTM that, in httplib, if ca_certs is not None, then
> cert_reqs should automatically be CERT_REQUIRED (just like it is
> in get_server_certificate).
>
>> Also, ideally this could be added to 2.6 maint (it seems like a  
>> pretty big
>> hole)
>
> It's a new feature, so it shouldn't be added to 2.6. Not sure what you
> mean by "big hole".
>

Thanks, that's why I filed the ticket, it's my first foray into  
patching httplib - I'll go back to the patch drawing board!

History
Date	User	Action	Args
2009-06-12 22:37:57	jnoller	set	recipients: + jnoller, loewis
2009-06-12 22:37:55	jnoller	link	issue6273 messages
2009-06-12 22:37:55	jnoller	create