Message239965
Proposed patch adds possibility to opt-out certificate verification.
Disclaimer: it is just proof of concept as the config value is hard-coded.
How it works?
This patch depends on existence of config file which holds information about the protocol settings.
> $ cat cert-verification.conf
[https] # each protocol affected by cert-verification got its own section
verify=platform_default
Possible values for verify are:
enable - to enable certificate verification
disable - to disable certificate verification
platform_default - to use default (platform-specific) settings
Why platform_default?
This choice is for users who don't care about the security settings so they put the decision into their platform (distro) from which they get python. In rpm we can set package to not replace user edited configs when rpm is updated, so if user change the default value of config the config will remain the same.
Python example:
>>> import http.client
>>> cn = http.client.HTTPSConnection('www.google.com')
>>> cn._context.verify_mode
0L # CERT_NONE
>>> # config changed to verify=enable, still same interpreter
>>> cn2 = http.client.HTTPSConnection('www.google.com')
>>> cn2._context.verify_mode
2L # CERT_REQUIRED
This is how currently works patch attached, but I guess it would make more sense make this behave consistent within the same interpreter even when config is changed and the change will be propagated in the next interpreter run/service restart.
Also the patch could be changed to instead of being protocol based to be module based, but this would need also patching the affected modules.
I open the RFE mainly to see if there is a will to implement optionable certificate verification in upstream as it is in downstream [citation needed].
I've added some people to nosy list based on https://docs.python.org/devguide/experts.html |
|
Date |
User |
Action |
Args |
2015-04-03 10:38:07 | rkuska | set | recipients:
+ rkuska, ncoghlan, janssen, pitrou, vstinner, alex, dstufft |
2015-04-03 10:38:06 | rkuska | set | messageid: <1428057486.92.0.857087998573.issue23857@psf.upfronthosting.co.za> |
2015-04-03 10:38:06 | rkuska | link | issue23857 messages |
2015-04-03 10:38:05 | rkuska | create | |
|