classification
Title: Add SSL certificate validation
Type: Stage:
Components: Extension Modules Versions:
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: ahasenack, gustavo, janssen, jbowes, loewis, nagle, noonian, vila, vila-sf
Priority: normal Keywords: patch

Created on 2005-02-01 23:04 by noonian, last changed 2007-12-10 20:01 by ahasenack. This issue is now closed.

Files
File name Uploaded Description Edit
python-ssl-verification.diff noonian, 2005-02-01 23:04 python-ssl-verification patch
Messages (20)
msg47639 - (view) Author: James Eagan (noonian) Date: 2005-02-01 23:04
One line summary: adds certificate validation to the SSL module 
and programmer-level hooks to control how and whether 
certificate validation is performed.

Details:
The current SSL implementation in python goes through the 
motions of negotiating an SSL connection, but never validates the 
certificates exchanged.  This is like going through the motions of 
checking someone's photo id, but never making sure the picture 
matches the person you're talking to.  This patch fixes that.

This patch adds 3 module-level variables to the socket module, 
which get exposed iff ssl is built in.  These variables (ssl_ca_file, 
ssl_ca_path, and ssl_verify_level) provide programmer-level 
access to the certificate authorities database and to control what 
level of certificate verification is performed (by default, none, as is 
the current behavior).

If certificate verification is enabled, then one of the two certificate 
authority parameters must be set to  a valid certificate authority 
database or all certificate verification operations will fail.  I have 
an example certificate authority database (extracted from the Java 
keystore) that I can provide, but I'm not sure how to contribute 
that through the patch mechanism.

Cheers!
James Eagan
msg47640 - (view) Author: James Bowes (jbowes) Date: 2006-06-21 19:43
Logged In: YES 
user_id=1543815

I put together an updated version of this patch against svn
trunk as of June 21, 2006. I also added some additional
documentation to the .tex file.

Maybe someone with sufficient privilidges (or James, if
you're still out there) could attach the updated patch here?

the updated patch is at:
http://www.dangerouslyinc.com/~bowes/ssl_ca.diff

Regards,
James Bowes
msg47641 - (view) Author: John Nagle (nagle) Date: 2006-11-09 04:14
Logged In: YES 
user_id=5571

What's the status of this?  Is it going in?  I have a need
for it.  Thanks.
msg47642 - (view) Author: James Eagan (noonian) Date: 2006-11-09 14:43
Logged In: YES 
user_id=31389

Nagle:  I haven't heard anything from anyone besides you and jbowes abou this patch here or on the python-dev list, and I haven't had time to 
follow up.  You might have more success via the email list. (Or, if any of the python maintainers is reading this, do you have any suggestions to 
make this patch more attractive?)
msg47643 - (view) Author: Gustavo J. A. M. Carneiro (gustavo) * Date: 2006-11-09 15:20
Logged In: YES 
user_id=908

> This patch adds 3 module-level variables to the socket
module, which get exposed iff ssl is built in. These
variables (ssl_ca_file, ssl_ca_path, and ssl_verify_level)
provide programmer-level access to the certificate
authorities database and to control what level of
certificate verification is performed (by default, none, as
is the current behavior).

Are you sure it's a good idea to have this kind of 'global'
control over certification authorities?  Global
configurations are handy at first, but they come back and
bite us when we least expect it...
msg47644 - (view) Author: John Nagle (nagle) Date: 2006-11-30 20:13
This has been pending for a few months, and there's a fix, but it's not in yet.  What's going on?

I just had Python accept a totally bogus certificate from "www.amaison.co.uk".
The certificate contents are

C = --
ST = SomeState
L = SomeCity
O = SomeOrganization
OU = SomeOrganizationalUnit
CN = localhost.localdomain
emailAddress = root@localhost.localdomain
Issuer identity:
C = --
ST = SomeState
L = SomeCity
O = SomeOrganization
OU = SomeOrganizationalUnit
CN = localhost.localdomain
emailAddress = root@localhost.localdomain

Python is perfectly happy with that.   Which is embarassing. 
msg47645 - (view) Author: Martin v. Löwis (loewis) * (Python committer) Date: 2006-11-30 20:50
The patch is not integrated because nobody had the time to review it; this, in turn, did not happen because we lack reviewers.

A quick review reveals that the patch is incomplete: it does not provide changes to the documentation (which it needs to, because it introduces a new feature).

The patch also includes no changes to the test suite.
msg47646 - (view) Author: James Eagan (noonian) Date: 2006-11-30 21:09
I'd be happy to make the changes löwis suggested, but it will be quite a while before I can find the necessary time.  If anyone else can update the docs and tests, please let me know!
msg47647 - (view) Author: vila-sf (vila-sf) Date: 2007-04-25 08:33
Like nagle, I have a need for this.

But the updated patch is now returning a 404 :-(

Since we are at still three interested by that patch, what can we do ?
msg47648 - (view) Author: vila-sf (vila-sf) Date: 2007-04-25 08:35
Like nagle, I have a need for this.

But the updated patch is now returning a 404 :-(

Since we are at still three interested by that patch, what can we do ?
msg47649 - (view) Author: John Nagle (nagle) Date: 2007-04-25 16:44
Note: If you need this, M2Crypto, a third party replacement for the SSL module, provides the necessary functionality.  M2Crypto tends to be a headache to build (it uses SWIG, has version dependencies on SWIG, OpenSSL, the compiler, and CPython, and needs some code from its source repository that isn't in the current release), but the correct functionality is in there.  That's what I'm using now.
msg55295 - (view) Author: Bill Janssen (janssen) * (Python committer) Date: 2007-08-26 02:56
I believe this is now fixed with patch 1018.
msg55450 - (view) Author: Bill Janssen (janssen) * (Python committer) Date: 2007-08-29 23:03
Fixed in 2.6.
msg55463 - (view) Author: vila-sf (vila-sf) Date: 2007-08-30 06:54
>>>>> "Bill" == Bill Janssen <report@bugs.python.org> writes:

    Bill> Bill Janssen added the comment:

    Bill> Fixed in 2.6.

    Bill> ----------
    Bill> resolution:  -> fixed
    Bill> status: open -> closed

Thanks for the work on the server side !

But there is still one bit missing for the client side, the
original patch allowed the handling of self-certified sites
which, AIUI, you don't provide.

Am I wrong ?

   Vincent
msg55493 - (view) Author: Bill Janssen (janssen) * (Python committer) Date: 2007-08-30 17:42
The new SSL code does work with self-signed certs, either by skipping 
validation with CERT_NONE, or by adding the cert to the ca_certs file.  I 
don't believe there are any other options that make sense, but if you can 
suggest one, let's hear it.
msg55619 - (view) Author: vila-sf (vila-sf) Date: 2007-09-03 12:32
Using CERT_NONE or adding the cert covers my needs, thanks.

Any hope this will be backported to python 2.5 ?
msg55620 - (view) Author: Martin v. Löwis (loewis) * (Python committer) Date: 2007-09-03 12:52
There definitely won't be any new features in 2.5.x. However, I think
Bill said he might make this available separately.
msg55622 - (view) Author: Bill Janssen (janssen) * (Python committer) Date: 2007-09-03 16:49
I'm planning to do a package for 2.3...

Sent from my iPhone

On Sep 3, 2007, at 5:32 AM,
vila-sf
<report@bugs.python.org> wrote:

>
>
>                    vila-sf
>                 added the comment:
>
> Using CERT_NONE or adding the cert covers my needs, thanks.
>
> Any hope this will be backported to python 2.5 ?
>
> _____________________________________
> Tracker <report@bugs.python.org>
> <http://bugs.python.org/issue1114345>
> _____________________________________
msg56410 - (view) Author: (vila) Date: 2007-10-14 09:21
> I'm planning to do a package for 2.3...

Any progress on that package ?

I'd like to do the same for python 2.4 and 2.5 as I have a need for it
for both versions. 

I don't know what you call a package though,  but I'm willing to learn :)
msg56423 - (view) Author: Bill Janssen (janssen) * (Python committer) Date: 2007-10-14 20:07
See the SSL package on PyPI.  Should work on 2.3, 2.4, and 2.5.

Bill

On 10/14/07, vila <report@bugs.python.org> wrote:
>
> vila added the comment:
>
> > I'm planning to do a package for 2.3...
>
> Any progress on that package ?
>
> I'd like to do the same for python 2.4 and 2.5 as I have a need for it
> for both versions.
>
> I don't know what you call a package though,  but I'm willing to learn :)
>
> ----------
> nosy: +vila
>
> _____________________________________
> Tracker <report@bugs.python.org>
> <http://bugs.python.org/issue1114345>
> _____________________________________
>
History
Date User Action Args
2007-12-10 20:01:57ahasenacksetnosy: + ahasenack
2007-10-14 20:07:31janssensetmessages: + msg56423
2007-10-14 09:21:36vilasetnosy: + vila
messages: + msg56410
2007-09-03 16:49:55janssensetmessages: + msg55622
2007-09-03 12:52:11loewissetmessages: + msg55620
2007-09-03 12:32:22vila-sfsetmessages: + msg55619
2007-08-30 17:42:08janssensetmessages: + msg55493
2007-08-30 06:54:19vila-sfsetmessages: + msg55463
2007-08-29 23:03:05janssensetstatus: open -> closed
resolution: fixed
messages: + msg55450
2007-08-26 02:56:09janssensetnosy: + janssen
messages: + msg55295
2005-02-01 23:04:16nooniancreate