Message191882
Christian wrote:
> sslsocket gives you access to the peer's cert and chain (with
> #18233).
Very interesting (and useful). I've mostly been working with Python
2.7, and I had not fully noticed that Python 3.2+ has a ssl.SSLContext
class.
> I'd rather not implement a full wrapper for X509_STORE_CTX and X509
> certs. It's way too much code, super complex and easily confuses even
> experienced developers. Python's ssl module is limited to core
> functionality by design and choice.
> However I might be intrigue to implement support for
> SSL_CTX_set_cert_verify_callback() or SSL_CTX_set_verify().
SSL_CTX_set_verify() seems (mostly) redundant SSLContext.verify_mode.
Or am I missing something?
> SSL_CTX_set_cert_verify_callback() has more potential, e.g.
>
> def cert_verify_callback(sslsocket, storectx, verify_ok):
> context = sslsocket.context
>
> storectx is a minimal X509_STORE_CTX object and verify_ok the boolean
> return value of X509_verify_cert(). Without a cert verify callback
> OpenSSL just uses the return value of X509_verify_cert()
> (ssl/ssl_cert.c:ssl_verify_cert_chain()).
I believe support for SSL_CTX_set_cert_verify_callback() would allow
customized certificate verification, which is what I am looking for. |
|
Date |
User |
Action |
Args |
2013-06-25 20:08:54 | mpb | set | recipients:
+ mpb, christian.heimes, r.david.murray |
2013-06-25 20:08:54 | mpb | set | messageid: <1372190934.91.0.343069920029.issue18293@psf.upfronthosting.co.za> |
2013-06-25 20:08:54 | mpb | link | issue18293 messages |
2013-06-25 20:08:54 | mpb | create | |
|