New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PEP 476: verify HTTPS certificates by default #66607
Comments
Attached minimal patch updates http.client.HTTPSConnection to validate certs by default and adjusts test.test_httplib accordingly. It doesn't currently include any docs changes, or changes to urllib. The process wide "revert to the old behaviour" hook is to monkeypatch the ssl module: ssl._create_default_https_context = ssl._create_unverified_context To monkeypatch the stdlib to validate *everything* (this one isn't new, just noting it for the record): ssl._create_stdlib_context = ssl.create_default_context |
Currently marking as a deferred blocker, as Alex wasn't sure he'd be able to get PEP-476 fully updated in time for 3.4.2rc1, and was willing to accept waiting for 2.7.9 and 3.4.3 rather than delaying 3.4.2 any further. However, that was before Senthil accepted the patch in 22366 for 3.5, which means we're at "feature complete" for the proposed changes. There's still the bpo-22366 backport patch, PEP update, docs updates and What's New updates to go, so assigning to Alex to decide if he wants to work with Larry to get this ready to go for 3.4.2 (noting that the PEP still needs the final tick of approval from Guido after being updated to reflect the proposed implementation). Otherwise we can get it ready for 2.7.9 with the other SSL changes, and it will appear in the 3.4.3 maintenance release, rather than 3.4.2. (Note that I'm busy most of this weekend, so +1 from me in advance if you decide to go ahead with getting it into 3.4.2) |
Patch with the implementation, and initial work on documentation. Needs review please, I suspect we need more docs in more places. Feedback please! |
Patch now makes more precise assertions about the type of error that's occurring. |
Updates to teh docs based on teh feedback from Antoine. |
New version of the patch based on feedback from benjamin, should make it easier to do the 3.4 branch stuff. |
New patch uses self-signed.pythontest.net, instead of svn.python.org. svn.python.org is signed by CACert, which is in the root on some machines. |
% ./python Lib/test/regrtest.py -v test_urllib2_localnet ====================================================================== Traceback (most recent call last):
File "/home/benjamin/dev/python/3.4/Lib/urllib/request.py", line 1182, in do_open
h.request(req.get_method(), req.selector, req.data, headers)
File "/home/benjamin/dev/python/3.4/Lib/http/client.py", line 1090, in request
self._send_request(method, url, body, headers)
File "/home/benjamin/dev/python/3.4/Lib/http/client.py", line 1128, in _send_request
self.endheaders(body)
File "/home/benjamin/dev/python/3.4/Lib/http/client.py", line 1086, in endheaders
self._send_output(message_body)
File "/home/benjamin/dev/python/3.4/Lib/http/client.py", line 924, in _send_output
self.send(msg)
File "/home/benjamin/dev/python/3.4/Lib/http/client.py", line 859, in send
self.connect()
File "/home/benjamin/dev/python/3.4/Lib/http/client.py", line 1230, in connect
server_hostname=sni_hostname)
File "/home/benjamin/dev/python/3.4/Lib/ssl.py", line 364, in wrap_socket
_context=self)
File "/home/benjamin/dev/python/3.4/Lib/ssl.py", line 584, in __init__
self.do_handshake()
File "/home/benjamin/dev/python/3.4/Lib/ssl.py", line 811, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/benjamin/dev/python/3.4/Lib/test/test_urllib2_localnet.py", line 548, in test_https
data = self.urlopen("https://localhost:%s/bizarre" % handler.port)
File "/home/benjamin/dev/python/3.4/Lib/test/test_urllib2_localnet.py", line 455, in urlopen
f = urllib.request.urlopen(url, data, **kwargs)
File "/home/benjamin/dev/python/3.4/Lib/urllib/request.py", line 161, in urlopen
return opener.open(url, data, timeout)
File "/home/benjamin/dev/python/3.4/Lib/urllib/request.py", line 463, in open
response = self._open(req, data)
File "/home/benjamin/dev/python/3.4/Lib/urllib/request.py", line 481, in _open
'_open', req)
File "/home/benjamin/dev/python/3.4/Lib/urllib/request.py", line 441, in _call_chain
result = func(*args)
File "/home/benjamin/dev/python/3.4/Lib/urllib/request.py", line 1225, in https_open
context=self._context, check_hostname=self._check_hostname)
File "/home/benjamin/dev/python/3.4/Lib/urllib/request.py", line 1184, in do_open
raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)> ====================================================================== Traceback (most recent call last):
File "/home/benjamin/dev/python/3.4/Lib/urllib/request.py", line 1182, in do_open
h.request(req.get_method(), req.selector, req.data, headers)
File "/home/benjamin/dev/python/3.4/Lib/http/client.py", line 1090, in request
self._send_request(method, url, body, headers)
File "/home/benjamin/dev/python/3.4/Lib/http/client.py", line 1128, in _send_request
self.endheaders(body)
File "/home/benjamin/dev/python/3.4/Lib/http/client.py", line 1086, in endheaders
self._send_output(message_body)
File "/home/benjamin/dev/python/3.4/Lib/http/client.py", line 924, in _send_output
self.send(msg)
File "/home/benjamin/dev/python/3.4/Lib/http/client.py", line 859, in send
self.connect()
File "/home/benjamin/dev/python/3.4/Lib/http/client.py", line 1230, in connect
server_hostname=sni_hostname)
File "/home/benjamin/dev/python/3.4/Lib/ssl.py", line 364, in wrap_socket
_context=self)
File "/home/benjamin/dev/python/3.4/Lib/ssl.py", line 584, in __init__
self.do_handshake()
File "/home/benjamin/dev/python/3.4/Lib/ssl.py", line 811, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/benjamin/dev/python/3.4/Lib/test/test_urllib2_localnet.py", line 587, in test_https_sni
self.urlopen("https://localhost:%s" % handler.port)
File "/home/benjamin/dev/python/3.4/Lib/test/test_urllib2_localnet.py", line 455, in urlopen
f = urllib.request.urlopen(url, data, **kwargs)
File "/home/benjamin/dev/python/3.4/Lib/urllib/request.py", line 161, in urlopen
return opener.open(url, data, timeout)
File "/home/benjamin/dev/python/3.4/Lib/urllib/request.py", line 463, in open
response = self._open(req, data)
File "/home/benjamin/dev/python/3.4/Lib/urllib/request.py", line 481, in _open
'_open', req)
File "/home/benjamin/dev/python/3.4/Lib/urllib/request.py", line 441, in _call_chain
result = func(*args)
File "/home/benjamin/dev/python/3.4/Lib/urllib/request.py", line 1225, in https_open
context=self._context, check_hostname=self._check_hostname)
File "/home/benjamin/dev/python/3.4/Lib/urllib/request.py", line 1184, in do_open
raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)> Ran 22 tests in 3.087s |
Latest patch fixes the urllib2_localnet tests. |
Fix for the failing test_ssl testes. |
New changeset 2afe5413d7af by Benjamin Peterson in branch '3.4': New changeset 731375f83406 by Benjamin Peterson in branch 'default': |
Okay, 3.4/3.5 have been dealt with. I had to hack up test_logging a bit. (bpo-22788 would make that better). 2.7 now needs a backport. |
Somehow the Windows bots are failing to verify python.org http://buildbot.python.org/all/builders/x86%20XP-4%203.x/builds/11179/steps/test/logs/stdio |
Builds failing on koobs-freebsd9 buildbot for: 3.x: since revision b2c17681404f80edae2ee4846db701104d942cc4 Attaching both initial build failure test logs. |
Attached patch backports this to 2.7. |
New changeset fb83916c3ea1 by Benjamin Peterson in branch '2.7': |
The python 2.7 documentation for urrlib still has a big warning notice at the top saying: """ When opening HTTPS URLs, it does not attempt to validate the server certificate. Use at your own risk! I believe this is incorrect since this patch was backported to the 2.7 branch. I checked it, and it verifies SSL certs by default. I guess the documentation for urllib should be updated to remove that warning? |
Carlos, you are correct. Please create a new issue and make it a documentation issue for 2.7. Thanks! |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: