[issue25115] SSL_set_verify_depth not exposed by the ssl module

2018-02-25 Thread Christian Heimes
Christian Heimes added the comment: Both Alex and I agree that verify depth is not the right solution to solve your problem. I'd rather not add more APIs unless they are useful for general audience. OpenSSL has a good default for verify depth. -- resolution: -> rejected stage: patch

[issue25115] SSL_set_verify_depth not exposed by the ssl module

2017-09-12 Thread Alex Gaynor
Alex Gaynor added the comment: For the use case of "I want to trust this CA, but I don't want to trust any of it's sub CAs" I think there's a simpler solution than expanding our API: Create your own cross-sign of the root you want, and add a pathLenConstraint: 0 to the basicConstraints extensi

[issue25115] SSL_set_verify_depth not exposed by the ssl module

2017-09-12 Thread Christian Heimes
Christian Heimes added the comment: Grant, I'm not sure I follow you. Do I understand correctly that you want to call SSL_CTX_set_verify_depth(ctx, 1), in order to enforce that a peer cert is directly signed by your CA? That doesn't sound like a good use of SSL_CTX_set_verify_depth(), because

[issue25115] SSL_set_verify_depth not exposed by the ssl module

2017-09-10 Thread Grant Bremer
Grant Bremer added the comment: The use case is for an internal PKI implementation where verification should be, needs to be limited to certificates signed by the PKI CA and no higher to, say, a larger realm which would not be appropriate. -- ___ Py

[issue25115] SSL_set_verify_depth not exposed by the ssl module

2017-09-06 Thread Alex Gaynor
Alex Gaynor added the comment: +1 on making sure we have a concrete use case before expanding the API -- nosy: +Alex Gaynor ___ Python tracker ___ ___

[issue25115] SSL_set_verify_depth not exposed by the ssl module

2017-09-06 Thread Christian Heimes
Christian Heimes added the comment: The patch looks fairly simple, but what is your use case? I don't like to clobber the SSLContext with additional features. I have never been in a situation that required me to change the verify depths for chain building. Why do you want to restrict or enlarg

[issue25115] SSL_set_verify_depth not exposed by the ssl module

2016-09-15 Thread Christian Heimes
Changes by Christian Heimes : -- assignee: -> christian.heimes components: +SSL ___ Python tracker ___ ___ Python-bugs-list mailing l

[issue25115] SSL_set_verify_depth not exposed by the ssl module

2016-09-08 Thread Christian Heimes
Changes by Christian Heimes : -- versions: +Python 3.7 -Python 2.7, Python 3.6 ___ Python tracker ___ ___ Python-bugs-list mailing lis

[issue25115] SSL_set_verify_depth not exposed by the ssl module

2015-09-16 Thread Grant Bremer
Changes by Grant Bremer : -- hgrepos: -316 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python

[issue25115] SSL_set_verify_depth not exposed by the ssl module

2015-09-16 Thread Grant Bremer
Grant Bremer added the comment: Attached is a patch for the 3.5 branch. The test is minimal -- we are relying on the underlying OpenSSL library and its context to manage the data. I have removed the data validation from the set function -- OpenSSL seems happy to accept negative numbers for dep

[issue25115] SSL_set_verify_depth not exposed by the ssl module

2015-09-15 Thread Grant Bremer
Grant Bremer added the comment: I had thought that I had found documentation that the max depth is 100 and anything higher is ignored -- and as I read that back to me, I believe I read an example passage and interpreted it incorrectly. I'll remove that. We primarily use Python 2.7, so I starte

[issue25115] SSL_set_verify_depth not exposed by the ssl module

2015-09-15 Thread Berker Peksag
Changes by Berker Peksag : -- stage: -> patch review versions: +Python 3.6 -Python 2.7, Python 3.5 ___ Python tracker ___ ___ Python-

[issue25115] SSL_set_verify_depth not exposed by the ssl module

2015-09-15 Thread STINNER Victor
STINNER Victor added the comment: +if (depth < 0 || depth > 100) { Why 100 and not 10 or 1000? SSL_CTX_set_verify_depth() is unable to check the depth? The patch lacks unit tests and documentation. The patch is for Python 2.7, it would be better to write a patch for the default branch (f

[issue25115] SSL_set_verify_depth not exposed by the ssl module

2015-09-15 Thread STINNER Victor
Changes by STINNER Victor : -- nosy: +christian.heimes ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://

[issue25115] SSL_set_verify_depth not exposed by the ssl module

2015-09-14 Thread Grant Bremer
Changes by Grant Bremer : -- hgrepos: +316 keywords: +patch Added file: http://bugs.python.org/file40471/verify_depth.patch ___ Python tracker ___ ___

[issue25115] SSL_set_verify_depth not exposed by the ssl module

2015-09-14 Thread Grant Bremer
New submission from Grant Bremer: The SSL_set_verify_depth OpenSSL method is not currently exposed by the ssl module. The context object would seem to be the proper place for it as an instance method. -- components: Library (Lib) messages: 250718 nosy: Grant Bremer priority: normal sev