Antoine Pitrou <pit...@free.fr> added the comment: > Be sure to support SAN. People forget that, and the API makes it a pain in > the butt (the validator doesn't even know who you're validating for).
Right, that's why we added the match_hostname() function. It knows about subjectAltName, except for raw IP addresses. The tests for it can be found here: http://hg.python.org/cpython/file/0466ee1816b1/Lib/test/test_ssl.py#l265 > Technically, you could check the Windows certificate stores too, if you > wanted to write that code. Well, I don't know how to interface them with OpenSSL. > Before going to python-dev, what do you think is feasible, > implementation-wise? Technically, shipping certificates shouldn't be difficult. The final install location is defined at "./configure" time, so loading the certs shouldn't be a problem either. Whether or not we enable them by default is a matter of policy. I think enabling them by default could be a nasty surprise for users who currently rely on a narrower set of trusted certs. > The right thing would be to use the in-built cert set if and only if the > system certs couldn't be checked. That might not be easy. OpenSSL's SSL_CTX_set_default_verify_paths() deliberately doesn't report errors. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue13647> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
