Message117942
Hello,
> I added some extra verification to Mercurial
> (http://www.selenic.com/hg/rev/f2937d6492c5). Feel free to use the
> following under the Python license in Python or elsewhere. It could be
> a separate method/function or it could integrated in wrap_socket and
> controlled by a keyword. I would appreciate if you find the
> implementation insufficient or incorrect.
Thank you, I'll take a look!
> Are CRLs checked by the SSL module? Otherwise it deserves a big fat
> warning.
They are not, but AFAIK most browsers don't check CRLs either...
(or, rather they don't download updated CRLs)
> (I now assume that notBefore is handled by the SSL module and
> shouldn't be checked here.)
I can't say for sure, but OpenSSL seems to handle both notBefore and
notAfter as part of its cert verification routine (see interval_verify()
and cert_check_time() in crypto/x509/x509_vfy.c). |
|
Date |
User |
Action |
Args |
2010-10-04 10:37:11 | pitrou | set | recipients:
+ pitrou, zooko, janssen, orsenthil, giampaolo.rodola, vila, heikki, ahasenack, kiilerix, debatem1, jsamuel, devin, asdfasdfasdfasdfasdfasdfasdf, Ryan.Tucker |
2010-10-04 10:37:08 | pitrou | link | issue1589 messages |
2010-10-04 10:37:07 | pitrou | create | |
|