[issue13647] Python SSL stack doesn't securely validate certificate (as client)

2013-08-15 Thread Antoine Pitrou
Antoine Pitrou added the comment: I'm gonna close this entry, since there's no actual issue to fix in Python. -- resolution: -> invalid status: open -> closed ___ Python tracker ___

[issue13647] Python SSL stack doesn't securely validate certificate (as client)

2013-08-14 Thread Christian Heimes
Changes by Christian Heimes : -- nosy: +christian.heimes ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http:/

[issue13647] Python SSL stack doesn't securely validate certificate (as client)

2013-06-03 Thread Arfrever Frehtes Taifersar Arahesis
Changes by Arfrever Frehtes Taifersar Arahesis : -- nosy: +Arfrever ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscri

[issue13647] Python SSL stack doesn't securely validate certificate (as client)

2013-06-03 Thread Barry A. Warsaw
Changes by Barry A. Warsaw : -- nosy: +barry ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python

[issue13647] Python SSL stack doesn't securely validate certificate (as client)

2013-03-08 Thread Florian Weimer
Changes by Florian Weimer : -- nosy: +fweimer ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.pytho

[issue13647] Python SSL stack doesn't securely validate certificate (as client)

2011-12-23 Thread Jesús Cea Avión
Changes by Jesús Cea Avión : -- nosy: +jcea ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.

[issue13647] Python SSL stack doesn't securely validate certificate (as client)

2011-12-23 Thread Antoine Pitrou
Antoine Pitrou added the comment: > Antoine, in case it's useful, do you think that it would be possible > to have something exactly-like the OpenSSL verify command? Well, to quote the page you mentioned: “The verify program uses the same functions as the internal SSL and S/MIME verification, t

[issue13647] Python SSL stack doesn't securely validate certificate (as client)

2011-12-23 Thread naif
naif added the comment: looking at OpenSSL command line, there is the "verify" that does a lot of checks on it's own: http://www.openssl.org/docs/apps/verify.html Dan, do you think that this apps does all the "best practice" verificati or it's missing something? Antoine, in case it's us

[issue13647] Python SSL stack doesn't securely validate certificate (as client)

2011-12-23 Thread Antoine Pitrou
Antoine Pitrou added the comment: > Be sure to support SAN. People forget that, and the API makes it a pain in > the butt (the validator doesn't even know who you're validating for). Right, that's why we added the match_hostname() function. It knows about subjectAltName, except for raw IP add

[issue13647] Python SSL stack doesn't securely validate certificate (as client)

2011-12-23 Thread naif
naif added the comment: Hi all, i added a ticket on setting up a default CA-store for Python, eliminating the need of CA-Store mainteinance: http://bugs.python.org/issue13655 This feature is a pre-requisite to implement by default SSL/TLS Client secure certificate verification. --

[issue13647] Python SSL stack doesn't securely validate certificate (as client)

2011-12-23 Thread Dan Kaminsky
Dan Kaminsky added the comment: On Fri, Dec 23, 2011 at 4:14 AM, Antoine Pitrou wrote: > > Antoine Pitrou added the comment: > > > You need to check expiration date of the cert in question, and I > > suppose invocation date as well. > > You need to look at each of the CNs in the subject name,

[issue13647] Python SSL stack doesn't securely validate certificate (as client)

2011-12-23 Thread Antoine Pitrou
Antoine Pitrou added the comment: > You need to check expiration date of the cert in question, and I > suppose invocation date as well. > You need to look at each of the CNs in the subject name, as well as > each of the DNSname types in the SAN extension. > You *absolutely must* make sure that e

[issue13647] Python SSL stack doesn't securely validate certificate (as client)

2011-12-23 Thread Dan Kaminsky
Dan Kaminsky added the comment: >> There is a new "match_hostname" that doesn't implement all the >> required, standard SSL/TLS Client security checks that should be done. >Indeed, as the name indicates, it just checks the hostname. >Please detail what the other security checks are (bonus poin

[issue13647] Python SSL stack doesn't securely validate certificate (as client)

2011-12-22 Thread Antoine Pitrou
Antoine Pitrou added the comment: > There is a new "match_hostname" that doesn't implement all the > required, standard SSL/TLS Client security checks that should be done. Indeed, as the name indicates, it just checks the hostname. Please detail what the other security checks are (bonus points

[issue13647] Python SSL stack doesn't securely validate certificate (as client)

2011-12-22 Thread naif
New submission from naif : It has been noticed by the well known security researcher Dan Kaminsky ( http://dankaminsky.com/) that Python SSL binding doesn't securely validate a digital certificate while used. There is a new "match_hostname"http://pypi.python.org/pypi/backports.ssl_match_hostna