New submission from Jussi Pakkanen:
Create a dummy certificate and build an ssl context like this:
ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
ctx.verify_mode = ssl.CERT_REQUIRED
ctx.load_verify_locations(cadata=dummy_certificate)
Then try to connect to a public service like this:
u = urllib.request.urlopen('https://www.google.com', context=ctx)
data = u.read()
Python will validate the server certificate even though it should reject it.
Attached is a script to demonstrate this.
This happens with Python 3.4.3 on OSX 10.10.4. Running the same script in
Ubuntu raises a certificate rejection exception as expected.
----------
components: Library (Lib)
files: sslbug.py
messages: 246813
nosy: jpakkane
priority: normal
severity: normal
status: open
title: Python accepts SSL certificate that should be rejected on OSX
type: security
versions: Python 3.4
Added file: http://bugs.python.org/file39936/sslbug.py
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue24646>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
