Message293590
Oh yeah, definitely not trustworthy at all. In my case, I am not processing the peer chain to actually verify trust, but I am still interested in inspecting the chain.
Dangerous or not, and regardless of what almost all people should *actually* be doing, SSL_get_peer_cert_chain exists for a reason, just like SSL_get_peer_certificate exists for a reason. If Python includes a standard SSL library, it should be transparent in the interface it offers, for the mere reason that the library becomes more powerful.
If the overall consensus is that the library should protect most people against common pitfalls and security mistakes, then I guess that's the route to continue on. However, I would be disappointed that we would be blacklisting the exposure of underlying library features based on the mere belief that people don't understand them enough! |
|
Date |
User |
Action |
Args |
2017-05-12 22:52:05 | chet | set | recipients:
+ chet, jcea, pitrou, christian.heimes, asmodai, maker, underrun, dstufft, dsoprea, miki725, mmasztalerczuk |
2017-05-12 22:52:05 | chet | set | messageid: <1494629525.51.0.901023098796.issue18233@psf.upfronthosting.co.za> |
2017-05-12 22:52:05 | chet | link | issue18233 messages |
2017-05-12 22:52:05 | chet | create | |
|