classification
Title: xmlrpclib.ServerProxy() doesn't use x509 data
Type: behavior Stage:
Components: Library (Lib) Versions: Python 2.6
process
Status: closed Resolution: rejected
Dependencies: Superseder:
Assigned To: janssen Nosy List: ahasenack, benjamin.peterson, gvanrossum, jafo, janssen, loewis
Priority: critical Keywords:

Created on 2007-12-10 19:41 by ahasenack, last changed 2008-07-31 02:00 by benjamin.peterson. This issue is now closed.

Files
File name Uploaded Description Edit
xmlrpclib-x509.patch ahasenack, 2007-12-10 19:41
Messages (9)
msg58363 - (view) Author: Andreas Hasenack (ahasenack) Date: 2007-12-10 19:41
I was trying to use xmlrpclib.ServerProxy() with https and client
certificate validation (I know httplib doesn't do server certificate
validation yet). I found no way to pass on host/uri as a
(host,x509_dict) tuple as the connection methods support, so I came up
with this patch.
msg58366 - (view) Author: Guido van Rossum (gvanrossum) * (Python committer) Date: 2007-12-10 19:53
This should be considered for 2.6, not 2.5 (which is in feature freeze).

I'm hoping Bill Janssen can review this.
msg58373 - (view) Author: Martin v. Löwis (loewis) * (Python committer) Date: 2007-12-10 22:16
I would like to ask the submitter to review the code himself for
suitability in 2.6. The underlying API has been extended a lot, so it's
unlikely that this patch is still the best choice.
msg58426 - (view) Author: Andreas Hasenack (ahasenack) Date: 2007-12-11 12:52
The only difference between xmlrpclib.py from trunk and 2.5.1 is in the
Marshaller class. Unrelated, as far as I can see.

Note that it seems that the intent of the original code was to support
this x509-dict all along:

$ grep -n x509 xmlrpclib.py.trunk
1224:    # Host may be a string, or a (host, x509-dict) tuple; if a string,
1228:    # @param host Host descriptor (URL or (URL, x509 info) tuple).
1230:    #     x509 info).  The header and x509 fields may be None.
1234:        x509 = {}
1236:            host, x509 = host
1251:        return host, extra_headers, x509
1262:        host, extra_headers, x509 = self.get_host_info(host)
1282:        host, extra_headers, x509 = self.get_host_info(host)
1362:        # host may be a string, or a (host, x509-dict) tuple
1364:        host, extra_headers, x509 = self.get_host_info(host)
1372:            return HTTPS(host, None, **(x509 or {}))

Basically just the ServerProxy constructor doesn't support it. One would
have to create a new class with a new constructor just because of it.
That's why I opened this ticket.
msg63819 - (view) Author: Sean Reifschneider (jafo) * (Python committer) Date: 2008-03-18 00:32
This patch also needs to include a patch to the documentation.

Martin: Do you agree with the discussion on the changes for 2.6?
msg63941 - (view) Author: Bill Janssen (janssen) * (Python committer) Date: 2008-03-18 16:53
Looking at this patch, I definitely agree with the need for
documentation.    And a test case which uses the SafeTransport class. 
But the patch itself also needs a bit more work.  (It uses httplib.HTTPS
underneath, and that needs more work, too.)  At a minimum, the caller
should be able to optionally specify somehow, either as a contructor
arg, or otherwise (a module-global variable, perhaps), a set of
certificate-authority root certs, which, if specified, would cause
client-side validation of the server's certificate.  I think this should
be added as an optional constructor arg to the HTTPS class.
msg63987 - (view) Author: Guido van Rossum (gvanrossum) * (Python committer) Date: 2008-03-18 21:02
Let's tentatively say this needs to go into 2.6.  Bill, if in the end
you decide against it, just reject the patch.
msg64021 - (view) Author: Bill Janssen (janssen) * (Python committer) Date: 2008-03-19 00:35
No test case.  No provision for client validation of server certificate.
msg70463 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2008-07-31 02:00
I assume you wanted to close this too.
History
Date User Action Args
2008-07-31 02:00:17benjamin.petersonsetstatus: open -> closed
nosy: + benjamin.peterson
messages: + msg70463
2008-03-19 00:35:13janssensetresolution: rejected
messages: + msg64021
2008-03-18 21:02:15gvanrossumsetpriority: critical
messages: + msg63987
versions: + Python 2.6, - Python 2.5
2008-03-18 16:53:02janssensetmessages: + msg63941
2008-03-18 00:32:53jafosetnosy: + jafo
messages: + msg63819
2007-12-11 12:52:28ahasenacksetmessages: + msg58426
2007-12-10 22:16:57loewissetnosy: + loewis
messages: + msg58373
2007-12-10 19:53:27gvanrossumsetassignee: janssen
messages: + msg58366
nosy: + gvanrossum, janssen
2007-12-10 19:41:26ahasenackcreate