msg106393 - (view) |
Author: STINNER Victor (vstinner) *  |
Date: 2010-05-24 21:17 |
SSL Context should support loading a CRL. See M2Crypto patches:
https://bugzilla.osafoundation.org/show_bug.cgi?id=12954
https://bugzilla.osafoundation.org/show_bug.cgi?id=11694
Or PyOpenSSL branch supporting CRL:
https://launchpad.net/~rick-fdd/pyopenssl/crl_and_revoked
|
msg143358 - (view) |
Author: Antoine Pitrou (pitrou) *  |
Date: 2011-09-01 21:41 |
Is it enough to just load a CRL file, or is other functionality usually needed?
The following APIs should help us do it:
- X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx);
- int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x);
- X509_CRL *d2i_X509_CRL_fp(FILE *fp,X509_CRL **crl);
And also for configuration (enable CRL checking on the context):
- X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx);
- int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags);
|
msg203170 - (view) |
Author: Christian Heimes (christian.heimes) *  |
Date: 2013-11-17 14:24 |
Yes, you are right. OpenSSL uses the same API to load certs and CRLs. CRL checks must be enabled, though.
|
msg203562 - (view) |
Author: Christian Heimes (christian.heimes) *  |
Date: 2013-11-21 02:30 |
The patch implements SSLContext.verify_flags in order to enable CRL checks. It comes with documentation, a unit test and a new CRL file.
|
msg203627 - (view) |
Author: Christian Heimes (christian.heimes) *  |
Date: 2013-11-21 12:58 |
My patch is inspired by mod_ssl:
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?view=markup#l697
CRLs can already be loaded with SSLContext.load_verify_locations(). The patch exposes the verification flags of SSLContext's X509_STORE. With X509_V_FLAG_CRL_CHECK OpenSSL requires (!) a CRL that matches the issuer of leaf certificate of the chain (the peer's cert). X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL also requires CRLs for all intermediate certs of the peer's cert chain.
|
msg203663 - (view) |
Author: Christian Heimes (christian.heimes) *  |
Date: 2013-11-21 18:12 |
The new patch addresses your review. I have altered the new to FLAGS_NONE, FLAGS_CLR_CHECK_LEAF etc.
|
msg203664 - (view) |
Author: Antoine Pitrou (pitrou) *  |
Date: 2013-11-21 18:22 |
That sounds too generic. How about VERIFY_CRL_NONE, etc.
|
msg203666 - (view) |
Author: Christian Heimes (christian.heimes) *  |
Date: 2013-11-21 19:10 |
It *is* generic. The flags are not about CRL alone, http://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_flags.html#VERIFICATION_FLAGS
|
msg203678 - (view) |
Author: Antoine Pitrou (pitrou) *  |
Date: 2013-11-21 21:59 |
> It *is* generic. The flags are not about CRL alone,
That's why I proposed VERIFY_xxx, e.g. VERIFY_CRL_NONE.
Calling some flags "FLAGS" is senseless, it's like calling an integer
"INTEGER".
|
msg203680 - (view) |
Author: Christian Heimes (christian.heimes) *  |
Date: 2013-11-21 22:03 |
s/FLAGS_/VERIFY_/g ? OK, I don't have hard feelings. :)
|
msg203681 - (view) |
Author: Antoine Pitrou (pitrou) *  |
Date: 2013-11-21 22:05 |
> s/FLAGS_/VERIFY_/g ? OK, I don't have hard feelings. :)
And VERIFY_NONE should be VERIFY_CRL_NONE IMO.
|
msg203688 - (view) |
Author: Christian Heimes (christian.heimes) *  |
Date: 2013-11-21 22:45 |
But it's not about CRL alone. How about VERIFY_DEFAULT = 0 ?
|
msg203689 - (view) |
Author: Antoine Pitrou (pitrou) *  |
Date: 2013-11-21 22:47 |
> But it's not about CRL alone. How about VERIFY_DEFAULT = 0 ?
Sounds good.
|
msg203691 - (view) |
Author: Roundup Robot (python-dev)  |
Date: 2013-11-21 22:56 |
New changeset 83805c9d1f05 by Christian Heimes in branch 'default':
Issue #8813: Add SSLContext.verify_flags to change the verification flags
http://hg.python.org/cpython/rev/83805c9d1f05
|
msg203694 - (view) |
Author: Christian Heimes (christian.heimes) *  |
Date: 2013-11-21 23:00 |
memo to me: add whatsnew entry
|
msg203895 - (view) |
Author: Ned Deily (ned.deily) *  |
Date: 2013-11-22 21:49 |
This change seems to have broken the OS X 10.4 Tiger buildbot:
_ssl.c:2240: error: 'struct x509_store_st' has no member named 'param'
_ssl.c:2253: error: 'struct x509_store_st' has no member named 'param'
_ssl.c:2257: error: 'struct x509_store_st' has no member named 'param'
_ssl.c:2263: error: 'struct x509_store_st' has no member named 'param'
http://buildbot.python.org/all/builders/x86%20Tiger%203.x/builds/7370
|
msg203904 - (view) |
Author: Christian Heimes (christian.heimes) *  |
Date: 2013-11-22 22:21 |
:(
I seriously need access to a Darwin or OSX box. This is the second time I broke the build on OSX.
Ned Deily <report@bugs.python.org> schrieb:
>
>Ned Deily added the comment:
>
>This change seems to have broken the OS X 10.4 Tiger buildbot:
>
>_ssl.c:2240: error: 'struct x509_store_st' has no member named 'param'
>_ssl.c:2253: error: 'struct x509_store_st' has no member named 'param'
>_ssl.c:2257: error: 'struct x509_store_st' has no member named 'param'
>_ssl.c:2263: error: 'struct x509_store_st' has no member named 'param'
>
>http://buildbot.python.org/all/builders/x86%20Tiger%203.x/builds/7370
>
>----------
>nosy: +ned.deily
>resolution: fixed ->
>status: pending -> open
>
>_______________________________________
>Python tracker <report@bugs.python.org>
><http://bugs.python.org/issue8813>
>_______________________________________
|
msg203905 - (view) |
Author: Ned Deily (ned.deily) *  |
Date: 2013-11-22 22:30 |
10.4 is *very* old:
$ /usr/bin/openssl version
OpenSSL 0.9.7l 28 Sep 2006
If you kept around that version of the headers and libs, you'd probably catch most of the problems.
|
msg203966 - (view) |
Author: Ned Deily (ned.deily) *  |
Date: 2013-11-23 05:03 |
This problem also breaks the 32-bit OS X installer build.
|
msg203983 - (view) |
Author: Roundup Robot (python-dev)  |
Date: 2013-11-23 10:24 |
New changeset 40d4be2b7258 by Christian Heimes in branch 'default':
Issue #8813: X509_VERIFY_PARAM is only available on OpenSSL 0.9.8+
http://hg.python.org/cpython/rev/40d4be2b7258
|
msg203984 - (view) |
Author: Christian Heimes (christian.heimes) *  |
Date: 2013-11-23 10:40 |
The _ssl module compiles again with OpenSSL 0.9.7.
|
msg212998 - (view) |
Author: Roundup Robot (python-dev)  |
Date: 2014-03-09 22:50 |
New changeset 1508c4c9e747 by R David Murray in branch 'default':
whatsnew: SSLContext.verify_flags and constants. (#8813)
http://hg.python.org/cpython/rev/1508c4c9e747
|
msg213920 - (view) |
Author: STINNER Victor (vstinner) *  |
Date: 2014-03-17 23:41 |
What is the status of this issue? Is it fixed or not?
The What's New in Python 3.4 document says that Python 3.4 can load CRL.
|
msg213951 - (view) |
Author: Christian Heimes (christian.heimes) *  |
Date: 2014-03-18 09:41 |
Yes, Python 3.4 can load and use CRLs.
|
msg213952 - (view) |
Author: STINNER Victor (vstinner) *  |
Date: 2014-03-18 09:44 |
> Yes, Python 3.4 can load and use CRLs.
Great work Christian, I was expecting this feature since many years :-)
|
msg213953 - (view) |
Author: Christian Heimes (christian.heimes) *  |
Date: 2014-03-18 09:47 |
It was *really* trivial. I just had to expose two simple OpenSSL APIs to enable / disable CRL. All versions of Python could already load the CRLs but CRL checks could not be enabled.
|
msg213954 - (view) |
Author: STINNER Victor (vstinner) *  |
Date: 2014-03-18 10:05 |
> It was *really* trivial. I just had to expose two simple OpenSSL APIs to enable / disable CRL.
It was trivial thanks to all the work done before around SSLContext. For example, Python 2.7 doesn't have SSLContext, so adding support for CRL in Python 2.7 is non-trivial :-/
|
|
Date |
User |
Action |
Args |
2022-04-11 14:57:01 | admin | set | github: 53059 |
2014-03-18 10:05:00 | vstinner | set | messages:
+ msg213954 |
2014-03-18 09:47:14 | christian.heimes | set | messages:
+ msg213953 |
2014-03-18 09:44:37 | vstinner | set | messages:
+ msg213952 |
2014-03-18 09:41:38 | christian.heimes | set | status: open -> closed
messages:
+ msg213951 |
2014-03-17 23:41:04 | vstinner | set | messages:
+ msg213920 |
2014-03-09 22:50:26 | python-dev | set | status: pending -> open
messages:
+ msg212998 |
2013-11-23 10:40:55 | christian.heimes | set | priority: release blocker -> normal status: open -> pending resolution: fixed messages:
+ msg203984
|
2013-11-23 10:24:41 | python-dev | set | messages:
+ msg203983 |
2013-11-23 05:03:19 | ned.deily | set | priority: normal -> release blocker nosy:
+ larry messages:
+ msg203966
|
2013-11-22 22:30:39 | ned.deily | set | messages:
+ msg203905 |
2013-11-22 22:21:54 | christian.heimes | set | messages:
+ msg203904 |
2013-11-22 21:49:09 | ned.deily | set | status: pending -> open
nosy:
+ ned.deily messages:
+ msg203895
resolution: fixed -> (no value) |
2013-11-21 23:00:45 | christian.heimes | set | status: open -> pending messages:
+ msg203694
assignee: christian.heimes resolution: fixed stage: patch review -> resolved |
2013-11-21 22:56:22 | python-dev | set | nosy:
+ python-dev messages:
+ msg203691
|
2013-11-21 22:47:17 | pitrou | set | messages:
+ msg203689 |
2013-11-21 22:45:17 | christian.heimes | set | messages:
+ msg203688 |
2013-11-21 22:05:32 | pitrou | set | messages:
+ msg203681 |
2013-11-21 22:03:27 | christian.heimes | set | messages:
+ msg203680 |
2013-11-21 21:59:00 | pitrou | set | messages:
+ msg203678 |
2013-11-21 19:10:52 | christian.heimes | set | messages:
+ msg203666 |
2013-11-21 18:22:21 | pitrou | set | messages:
+ msg203664 |
2013-11-21 18:12:40 | christian.heimes | set | files:
+ verify_flags_crl2.patch
messages:
+ msg203663 |
2013-11-21 12:58:05 | christian.heimes | set | messages:
+ msg203627 |
2013-11-21 02:30:22 | christian.heimes | set | files:
+ verify_flags_crl.patch keywords:
+ patch messages:
+ msg203562
stage: needs patch -> patch review |
2013-11-17 14:24:45 | christian.heimes | set | messages:
+ msg203170 |
2013-08-24 22:42:47 | dstufft | set | nosy:
+ dstufft
|
2013-07-08 12:22:02 | christian.heimes | set | nosy:
+ christian.heimes
components:
+ Extension Modules versions:
+ Python 3.4, - Python 3.3 |
2011-10-05 19:26:10 | dandrzejewski | set | nosy:
+ dandrzejewski
|
2011-09-01 21:41:22 | pitrou | set | stage: needs patch messages:
+ msg143358 versions:
+ Python 3.3, - Python 3.2 |
2010-05-24 21:54:50 | giampaolo.rodola | set | nosy:
+ giampaolo.rodola
|
2010-05-24 21:28:09 | pitrou | set | type: enhancement |
2010-05-24 21:17:17 | vstinner | set | nosy:
+ pitrou
|
2010-05-24 21:17:08 | vstinner | create | |