Author pitrou
Recipients Ryan.Tucker, ahasenack, asdfasdfasdfasdfasdfasdfasdf, debatem1, devin, giampaolo.rodola, heikki, janssen, jsamuel, kiilerix, orsenthil, pitrou, vila, zooko
Date 2010-10-04.10:37:07
SpamBayes Score 0.000175517
Marked as misclassified No
Message-id <1286188623.3178.9.camel@localhost.localdomain>
In-reply-to <1286153571.56.0.333502733747.issue1589@psf.upfronthosting.co.za>
Content
Hello,

> I added some extra verification to Mercurial
> (http://www.selenic.com/hg/rev/f2937d6492c5). Feel free to use the
> following under the Python license in Python or elsewhere. It could be
> a separate method/function or it could integrated in wrap_socket and
> controlled by a keyword. I would appreciate if you find the
> implementation insufficient or incorrect.

Thank you, I'll take a look!

> Are CRLs checked by the SSL module? Otherwise it deserves a big fat
> warning.

They are not, but AFAIK most browsers don't check CRLs either...
(or, rather they don't download updated CRLs)

> (I now assume that notBefore is handled by the SSL module and
> shouldn't be checked here.)

I can't say for sure, but OpenSSL seems to handle both notBefore and
notAfter as part of its cert verification routine (see interval_verify()
and cert_check_time() in crypto/x509/x509_vfy.c).
History
Date User Action Args
2010-10-04 10:37:11pitrousetrecipients: + pitrou, zooko, janssen, orsenthil, giampaolo.rodola, vila, heikki, ahasenack, kiilerix, debatem1, jsamuel, devin, asdfasdfasdfasdfasdfasdfasdf, Ryan.Tucker
2010-10-04 10:37:08pitroulinkissue1589 messages
2010-10-04 10:37:07pitroucreate