On 9/29/2010 1:18 PM, Ned Deily wrote:
In article<d07279e14b9bbb842bf97b8874f7d...@ivanov-nest.com>,
Velko Ivanov<viva...@ivanov-nest.com> wrote:
I've always wandered why HTTPSConnection does not validate
certificates?
It is fairly simple to use the SSL socket's validation:
[...]
Perhaps you can write up your example as a documentation patch to the
http.client documentation page and submit it to the Python bug tracker
(http://bugs.python.org/).
We've been through this. Too many times.
http://bugs.python.org/issue1114345
(2005: Broken in Python 2.2, eventually fixed)
http://www.justinsamuel.com/2008/12/25/the-importance-of-validating-ssl-certificates/
(2008: Why this matters)
http://www.mail-archive.com/python-list@python.org/msg281736.html
(2010: Broken in new Python 2.6 SSL module.)
http://bugs.python.org/issue1589
(2010: Developer "Bill Jansen" in denial, others disagree.
Currently being debated. See bug tracker.)
The really stupid thing about the current SSL module is that it
accepts a file of root certificates as a parameter, but ignores it.
So it creates the illusion of security without providing it.
As someone pointed out, the current SSL module "lets you talk
encrypted to your attacker".
John Nagle
--
http://mail.python.org/mailman/listinfo/python-list
