Christian Heimes <li...@cheimes.de> added the comment:
I looked into the matter. It's certainly doable to have simple CT validation. A custom CT policy is a bit more work, as I would have to provide a callback and two new types. * a method to load CT log config, SSL_CTX_set_ctlog_list_file() * a method to enable CT verification mode, SSL_CTX_enable_ct() * an optional callback to handle SCTs and enforce policies. * wrappers for CT_POLICY_EVAL_CTX and SCT structs There is also the issue of CT log list configuration. Neither Fedora nor Debian ship a CT log file [1]. Without a CT log configuration, SCT validation doesn't work. I created [2] to generate a config file from Chrome's known CT list. The configuration isn't static and list needs to be updated regularly. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876403 https://github.com/tiran/ct_log_list ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue30525> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
