Message 191882 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	mpb
Recipients	christian.heimes, mpb, r.david.murray
Date	2013-06-25.20:08:54
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1372190934.91.0.343069920029.issue18293@psf.upfronthosting.co.za>
In-reply-to

Content
Christian wrote: > sslsocket gives you access to the peer's cert and chain (with > #18233). Very interesting (and useful). I've mostly been working with Python 2.7, and I had not fully noticed that Python 3.2+ has a ssl.SSLContext class. > I'd rather not implement a full wrapper for X509_STORE_CTX and X509 > certs. It's way too much code, super complex and easily confuses even > experienced developers. Python's ssl module is limited to core > functionality by design and choice. > However I might be intrigue to implement support for > SSL_CTX_set_cert_verify_callback() or SSL_CTX_set_verify(). SSL_CTX_set_verify() seems (mostly) redundant SSLContext.verify_mode. Or am I missing something? > SSL_CTX_set_cert_verify_callback() has more potential, e.g. > > def cert_verify_callback(sslsocket, storectx, verify_ok): > context = sslsocket.context > > storectx is a minimal X509_STORE_CTX object and verify_ok the boolean > return value of X509_verify_cert(). Without a cert verify callback > OpenSSL just uses the return value of X509_verify_cert() > (ssl/ssl_cert.c:ssl_verify_cert_chain()). I believe support for SSL_CTX_set_cert_verify_callback() would allow customized certificate verification, which is what I am looking for.

Christian wrote:
> sslsocket gives you access to the peer's cert and chain (with 
> #18233).

Very interesting (and useful).  I've mostly been working with Python
2.7, and I had not fully noticed that Python 3.2+ has a ssl.SSLContext
class.

> I'd rather not implement a full wrapper for X509_STORE_CTX and X509 
> certs. It's way too much code, super complex and easily confuses even 
> experienced developers. Python's ssl module is limited to core 
> functionality by design and choice.

> However I might be intrigue to implement support for
> SSL_CTX_set_cert_verify_callback() or SSL_CTX_set_verify().

SSL_CTX_set_verify() seems (mostly) redundant SSLContext.verify_mode.  
Or am I missing something?

> SSL_CTX_set_cert_verify_callback() has more potential, e.g.
> 
> def cert_verify_callback(sslsocket, storectx, verify_ok):
>     context = sslsocket.context
>
> storectx is a minimal X509_STORE_CTX object and verify_ok the boolean
> return value of X509_verify_cert(). Without a cert verify callback
> OpenSSL just uses the return value of X509_verify_cert()
> (ssl/ssl_cert.c:ssl_verify_cert_chain()).

I believe support for SSL_CTX_set_cert_verify_callback() would allow
customized certificate verification, which is what I am looking for.

History
Date	User	Action	Args
2013-06-25 20:08:54	mpb	set	recipients: + mpb, christian.heimes, r.david.murray
2013-06-25 20:08:54	mpb	set	messageid: <1372190934.91.0.343069920029.issue18293@psf.upfronthosting.co.za>
2013-06-25 20:08:54	mpb	link	issue18293 messages
2013-06-25 20:08:54	mpb	create