| Store | Cart

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

From: M.-A. Lemburg <m...@egenix.com>
Fri, 29 Aug 2014 23:58:29 +0200
On 29.08.2014 23:11, Donald Stufft wrote:
> > Sorry I was on my phone and didn’t get to fully reply to this.> >> On Aug 29, 2014, at 4:00 PM, M.-A. Lemburg <m...@egenix.com> wrote:>>>> On 29.08.2014 21:47, Alex Gaynor wrote:>>> Hi all,>>>>>> I've just submitted PEP 476, on enabling certificate validation by default for>>> HTTPS clients in Python. Please have a look and let me know what you think.>>>>>> PEP text follows.>>>> Thanks for the PEP. I think this is generally a good idea,>> but some important parts are missing from the PEP:>>>> * transition plan:>>>>   I think starting with warnings in Python 3.5 and going>>   for exceptions in 3.6 would make a good transition>>>>   Going straight for exceptions in 3.5 is not in line with>>   our normal procedures for backwards incompatible changes.> > As far as a transition plan, I think that this is an important> enough thing to have an accelerated process. If we need> to provide a warning than let’s add it to the next 3.4 otherwise> it’s going to be 2.5+ years until we stop being unsafe by> default.
Fine with me; we're still early in the Python 3.4
patch level releases.

> Another problem with this is that I don’t think it’s actually> possible to do. Python itself isn’t validating the TLS certificates,> OpenSSL is doing that. To my knowledge OpenSSL doesn’t> have a way to say “please validate these certificates and if> they don’t validate go ahead and keep going and just let me> get a warning from it”. It’s a 3 way switch, no validation, validation> if a certificate is provided, and validation always.> > Now that’s strictly for the “verify the certificate chain” portion,> the hostname verification is done entirely on our end and we> could do something there… but I’m not sure it makes sense> to do so if we can’t do it for invalid certificates too.
OpenSSL provides a callback for certificate validation,
so it is possible to issue a warning and continue with
accepting the certificate.

>> * configuration:>>>>   It would be good to be able to switch this on or off>>   without having to change the code, e.g. via a command>>   line switch and environment variable; perhaps even>>   controlling whether or not to raise an exception or>>   warning.> > I’m on the fence about this, if someone provides a certificate> that we can validate against (which can be done without> touching the code) then the only thing that really can’t be> “fixed” without touching the code is if someone has a certificate> that is otherwise invalid (expired, not yet valid, wrong hostname,> etc). I’d say if I was voting on this particular thing I’d be -0, I’d> rather it didn’t exist but I wouldn’t cry too much if it did.
If you're testing code or trying out some new stuff, you
don't want to get a valid cert first, but instead go ahead
with a self signed one. That's the use case.

>> * choice of trusted certificate:>>>>   Instead of hard wiring using the system CA roots into>>   Python it would be good to just make this default and>>   permit the user to point Python to a different set of>>   CA roots.>>>>   This would enable using self signed certs more easily.>>   Since these are often used for tests, demos and education,>>   I think it's important to allow having more control of>>   the trusted certs.> > > Like my other email said, the Python API has everything needed> to easily specify your own CA roots and/or disable the validations.> The OpenSSL library also allows you to specify either a directory> or a file to change the root certificates without code changes. The> only real problems with the APIs are that the default is bad and> an unrelated thing where you can’t pass in an in memory certificate.
Are you sure that's possible ? Python doesn't load the
openssl.cnf file and the SSL_CERT_FILE, SSL_CERT_DIR env
vars only work for the openssl command line binary, AFAIK.

In any case, Python will have to tap into the OS CA root
provider using special code and this code could easily be
made to check other dirs/files as well.

The point is that it should be possible to change this default
at the Python level, without needing application code changes.

-- Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Aug 29 2014)
>>> Python Projects, Consulting and Support ...   http://www.egenix.com/>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/________________________________________________________________________
2014-08-27: Released eGenix PyRun 2.0.1 ...       http://egenix.com/go62
2014-09-19: PyCon UK 2014, Coventry, UK ...                21 days to go
2014-09-27: PyDDF Sprint 2014 ...                          29 days to go

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/
_______________________________________________
Python-Dev mailing list
Pyth...@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: https://mail.python.org/mailman/options/python-dev/python-dev-ml%40activestate.com
Recent Messages in this Thread
Alex Gaynor Aug 29, 2014 07:47 pm
David Reid Aug 29, 2014 07:56 pm
M.-A. Lemburg Aug 29, 2014 08:00 pm
Ethan Furman Aug 29, 2014 08:07 pm
Nick Coghlan Aug 30, 2014 11:26 pm
Antoine Pitrou Aug 31, 2014 01:25 am
R. David Murray Aug 31, 2014 02:21 am
Nick Coghlan Aug 31, 2014 06:09 am
Donald Stufft Aug 31, 2014 06:16 am
Nick Coghlan Aug 31, 2014 06:45 am
Cory Benfield Aug 31, 2014 10:42 am
R. David Murray Aug 31, 2014 02:16 pm
Christian Heimes Aug 31, 2014 04:27 pm
Paul Moore Aug 31, 2014 05:03 pm
Antoine Pitrou Aug 31, 2014 05:29 pm
Paul Moore Aug 31, 2014 06:28 pm
Antoine Pitrou Aug 31, 2014 06:37 pm
Paul Moore Aug 31, 2014 07:12 pm
Antoine Pitrou Aug 31, 2014 08:15 pm
Paul Moore Aug 31, 2014 08:30 pm
Nick Coghlan Aug 31, 2014 09:41 pm
Antoine Pitrou Aug 31, 2014 09:53 pm
Christian Heimes Aug 31, 2014 09:59 pm
Christian Heimes Aug 31, 2014 08:16 pm
Christian Heimes Aug 31, 2014 09:43 pm
Nick Coghlan Aug 31, 2014 10:10 pm
R. David Murray Sep 01, 2014 01:10 am
Nick Coghlan Sep 01, 2014 06:05 am
Nick Coghlan Sep 02, 2014 10:12 pm
Paul Moore Sep 01, 2014 06:07 am
Nick Coghlan Sep 01, 2014 06:44 am
Christian Heimes Sep 01, 2014 07:13 am
Nick Coghlan Sep 01, 2014 08:09 am
Antoine Pitrou Sep 01, 2014 12:41 pm
Chris Angelico Sep 01, 2014 01:24 pm
Antoine Pitrou Sep 01, 2014 01:34 pm
Chris Angelico Sep 01, 2014 01:42 pm
Antoine Pitrou Sep 01, 2014 01:59 pm
Nick Coghlan Sep 01, 2014 02:53 pm
Antoine Pitrou Sep 01, 2014 02:57 pm
M.-A. Lemburg Sep 08, 2014 08:09 am
Donald Stufft Aug 31, 2014 10:15 pm
Nick Coghlan Sep 01, 2014 12:06 am
Nick Coghlan Aug 31, 2014 06:24 am
Christian Heimes Aug 31, 2014 05:23 pm
Donald Stufft Aug 29, 2014 08:10 pm
Donald Stufft Aug 29, 2014 09:11 pm
R. David Murray Aug 29, 2014 09:42 pm
Antoine Pitrou Aug 29, 2014 09:57 pm
Donald Stufft Aug 29, 2014 10:00 pm
R. David Murray Aug 29, 2014 10:57 pm
Antoine Pitrou Aug 29, 2014 09:55 pm
M.-A. Lemburg Aug 29, 2014 09:58 pm
Donald Stufft Aug 29, 2014 10:08 pm
Antoine Pitrou Aug 29, 2014 10:22 pm
Christian Heimes Aug 31, 2014 11:18 am
Alex Gaynor Aug 30, 2014 02:44 am
M.-A. Lemburg Aug 30, 2014 10:19 am
Antoine Pitrou Aug 30, 2014 10:40 am
M.-A. Lemburg Aug 30, 2014 10:46 am
Antoine Pitrou Aug 30, 2014 10:55 am
M.-A. Lemburg Aug 30, 2014 12:03 pm
R. David Murray Aug 30, 2014 01:32 pm
M.-A. Lemburg Aug 30, 2014 02:20 pm
Steve Dower Aug 30, 2014 02:24 pm
Barry Warsaw Aug 30, 2014 04:42 pm
Paul Moore Aug 30, 2014 10:48 am
Alex Gaynor Aug 30, 2014 03:22 pm
Paul Moore Aug 30, 2014 03:36 pm
Marko Rauhamaa Aug 30, 2014 04:17 pm
Christian Heimes Aug 30, 2014 05:21 pm
mar...@v.loewis.de Aug 30, 2014 08:03 pm
Stephen J. Turnbull Aug 31, 2014 05:53 am
Glyph Lefkowitz Sep 02, 2014 09:00 pm
Antoine Pitrou Sep 02, 2014 09:32 pm
Alex Gaynor Sep 02, 2014 10:16 pm
Antoine Pitrou Sep 02, 2014 10:25 pm
Nick Coghlan Sep 02, 2014 11:01 pm
David Reid Sep 02, 2014 11:06 pm
Nick Coghlan Sep 02, 2014 11:28 pm
Glyph Lefkowitz Sep 02, 2014 11:47 pm
Donald Stufft Sep 03, 2014 12:06 am
Antoine Pitrou Sep 03, 2014 12:19 am
Stephen J. Turnbull Sep 03, 2014 02:43 am
Cory Benfield Sep 03, 2014 08:26 am
Nick Coghlan Sep 03, 2014 10:34 am
Antoine Pitrou Sep 03, 2014 02:29 pm
Terry Reedy Sep 03, 2014 12:59 am
R. David Murray Sep 03, 2014 01:29 am
Antoine Pitrou Sep 03, 2014 02:31 pm
R. David Murray Sep 03, 2014 03:58 pm
Ethan Furman Sep 03, 2014 05:09 pm
Alex Gaynor Sep 03, 2014 05:15 pm
Ethan Furman Sep 03, 2014 05:29 pm
Christian Heimes Sep 03, 2014 07:07 pm
R. David Murray Sep 03, 2014 07:10 pm
Ethan Furman Sep 03, 2014 07:42 pm
Guido van Rossum Sep 03, 2014 05:54 pm
Antoine Pitrou Sep 03, 2014 06:37 pm
R. David Murray Sep 03, 2014 07:06 pm
Guido van Rossum Sep 03, 2014 07:11 pm
Nick Coghlan Sep 03, 2014 11:19 pm
Antoine Pitrou Sep 03, 2014 11:36 pm
Ethan Furman Sep 04, 2014 12:00 am
Ethan Furman Sep 04, 2014 12:17 am
Nick Coghlan Sep 04, 2014 03:11 am
Antoine Pitrou Sep 04, 2014 12:39 pm
Nick Coghlan Sep 04, 2014 01:31 pm
Donald Stufft Sep 03, 2014 06:39 pm
Christian Heimes Sep 03, 2014 07:26 pm
Guido van Rossum Sep 03, 2014 07:37 pm
Christian Heimes Sep 03, 2014 07:50 pm
Alex Gaynor Sep 03, 2014 08:37 pm
Benjamin Peterson Sep 03, 2014 11:10 pm
Nick Coghlan Sep 03, 2014 11:29 pm
Victor Stinner Sep 03, 2014 07:37 pm
Christian Heimes Sep 03, 2014 07:44 pm
Stephen J. Turnbull Sep 03, 2014 10:48 pm
Gregory P. Smith Sep 08, 2014 09:35 pm
Glyph Lefkowitz Sep 02, 2014 11:21 pm
R. David Murray Sep 02, 2014 11:20 pm
Christian Heimes Sep 02, 2014 10:41 pm
Nick Coghlan Sep 01, 2014 09:31 pm
Christian Heimes Sep 01, 2014 05:01 pm
Donald Stufft Sep 01, 2014 05:08 pm
Nick Coghlan Sep 01, 2014 03:35 pm
Donald Stufft Sep 01, 2014 04:48 pm
Messages in this thread