On Thu, Jul 29, 2010 at 9:13 AM, Antoine Pitrou <solip...@pitrou.net> wrote: > On Wed, 28 Jul 2010 22:23:48 -0700 > geremy condra <debat...@gmail.com> wrote: >> > >> > The new Python SSL module in 2.6 and later has a huge built-in >> > security hole - it doesn't verify the domain against the >> > certificate. As someone else put it, this means "you get to >> > talk securely with your attacker." As long as the site or proxy >> > has some valid SSL cert, any valid SSL cert copied from anywhere, >> > the new Python SSL module will tell you everything is just fine. >> > >> > John Nagle >> >> Did anything ever come of the discussion that you and Antoine had? > > As I wrote in http://bugs.python.org/issue1589, I would support adding > the necessary function(s) to the SSL module, and have urllib (and other > stdlib modules) support them. Someone needs to write a patch, though. > > Regards > > Antoine.
Hmm, my understanding at the time was that there had been a decision to just adapt Heikki Toivonen's M2Crypto code, if that's just looking for someone to turn it into a patch I'll see if I can't find the time next week. Geremy Condra -- http://mail.python.org/mailman/listinfo/python-list
