Python OpenSSL library

[Terry Reedy]

Could similar notifications be added to urllib, etc? That's where
people really get bitten badly by this.

If you have specific ideas, propose them on the tracker.
------
I think the following section
"
<blah>
"
should be added to <specific place>
---------

There are people who will add .rst markup to ascii text once it is
agreed on.

If you want cross-references to the above added to docs for other
modules, just say that.

Terry Jan Reedy

 

[Paul Rubin]

If you have specific ideas, propose them on the tracker.

urllib is basically a web client and as such it should act like a
browser, with a default certificate store. It should refuse to connect
to an https host that doesn't have a valid certificate, unless you
override the default (supply your own CA store or validation routine).
There could be some pre-written override options, such as accept expired
certificate, accept certificate named "www.xyz.com" when the actual host
is "abc.xyz.com", or that sort of thing. These are code changes, not
doc updates.

 

[geremy condra]

urllib is basically a web client and as such it should act like a
browser, with a default certificate store.  It should refuse to connect
to an https host that doesn't have a valid certificate, unless you
override the default (supply your own CA store or validation routine).
There could be some pre-written override options, such as accept expired
certificate, accept certificate named "www.xyz.com" when the actual host
is "abc.xyz.com", or that sort of thing.  These are code changes, not
doc updates.

I've opened the requested bug report:

http://bugs.python.org/issue9003

Just for the record, I'd rather see this fixed than note the need for a
workaround.

Geremy Condra

 

[John Nagle]

What do you mean by "doesn't"?
Can you point to an open bug report describing the issue?

http://bugs.python.org/issue1589

Just reopened by Antoine Pitrou.

Realistically, there are obscure situations where you might want to
open an SSL connection without hostname validation. Those
situations are unusual. (I actually do that to read the SSL
certificate, without sending data, in a system which collects data
from SSL certs. This is not the normal case.)

The typical Python user will expect SSL checking for URL opening
to behave like a browser does. They won't be up to speed on the
internal mechanics of X.509 certificates. The default case should
be to require a hostname match (considering certificate wildcards,
multiple common names, multiple alt names, etc.).

Expecting the caller to do this check is unreasonable. It's
about 70 lines of python code to cover all the cases. And
that's without proper support for error reporting for internationalized
host names.

Without a hostname check, the SSL module insures only, as someone
else points out, that "you have an encrypted connection to your
attacker".

John Nagle

 

[Antoine Pitrou]

http://bugs.python.org/issue1589 [...]

The typical Python user will expect SSL checking for URL opening
to behave like a browser does. They won't be up to speed on the
internal mechanics of X.509 certificates. The default case should
be to require a hostname match (considering certificate wildcards,
multiple common names, multiple alt names, etc.).

Expecting the caller to do this check is unreasonable. It's
about 70 lines of python code to cover all the cases. And
that's without proper support for error reporting for internationalized
host names.

If you are interested in this, I would encourage you to post a patch or
a proposal on the aforementioned bug entry so as to add a hostname
checking function to the SSL module.
(m2crypto has its own implementation that can serve as a source of
inspiration, and test cases)

If/when that is done, the second step would be to integrate it by
default with the urllib module, and perhaps other ones.

Thanks

Antoine.

 

[geremy condra]

     http://bugs.python.org/issue1589 [...]

The typical Python user will expect SSL checking for URL opening
to behave like a browser does. They won't be up to speed on the
internal mechanics of X.509 certificates.  The default case should
be to require a hostname match (considering certificate wildcards,
multiple common names, multiple alt names, etc.).

Expecting the caller to do this check is unreasonable.  It's
about 70 lines of python code to cover all the cases.  And
that's without proper support for error reporting for internationalized
host names.

If you are interested in this, I would encourage you to post a patch or
a proposal on the aforementioned bug entry so as to add a hostname
checking function to the SSL module.
(m2crypto has its own implementation that can serve as a source of
inspiration, and test cases)

If/when that is done, the second step would be to integrate it by
default with the urllib module, and perhaps other ones.

John, I'll do this if you don't want to. Let me know.

Geremy Condra