Message 203627 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	christian.heimes
Recipients	christian.heimes, dandrzejewski, dstufft, giampaolo.rodola, pitrou, vstinner
Date	2013-11-21.12:58:05
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1385038685.65.0.936908535264.issue8813@psf.upfronthosting.co.za>
In-reply-to

Content
My patch is inspired by mod_ssl: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?view=markup#l697 CRLs can already be loaded with SSLContext.load_verify_locations(). The patch exposes the verification flags of SSLContext's X509_STORE. With X509_V_FLAG_CRL_CHECK OpenSSL requires (!) a CRL that matches the issuer of leaf certificate of the chain (the peer's cert). X509_V_FLAG_CRL_CHECK \| X509_V_FLAG_CRL_CHECK_ALL also requires CRLs for all intermediate certs of the peer's cert chain.

My patch is inspired by mod_ssl:

http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?view=markup#l697

CRLs can already be loaded with SSLContext.load_verify_locations(). The patch exposes the verification flags of SSLContext's X509_STORE. With X509_V_FLAG_CRL_CHECK OpenSSL requires (!) a CRL that matches the issuer of leaf certificate of the chain (the peer's cert). X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL also requires CRLs for all intermediate certs of the peer's cert chain.

History
Date	User	Action	Args
2013-11-21 12:58:05	christian.heimes	set	recipients: + christian.heimes, pitrou, vstinner, giampaolo.rodola, dandrzejewski, dstufft
2013-11-21 12:58:05	christian.heimes	set	messageid: <1385038685.65.0.936908535264.issue8813@psf.upfronthosting.co.za>
2013-11-21 12:58:05	christian.heimes	link	issue8813 messages
2013-11-21 12:58:05	christian.heimes	create