There's also the patch to httplib that Devin Cook has been working on for SSL enhancements, some of which do name checking. He's got most of a patch completed. On Thu, Sep 10, 2009 at 3:01 PM, Bill Janssen <janssen at parc.com> wrote: > Heikki, I'm OK with this, too. would you like to propose an extended > API for the SSL module? That would give us a starting point to talk > about. > > This should probably be a PEP, just for the sake of writing things down. > > As you say, the hostname checking feature seems to me possibly > appropriate for some application protocols, though it's made the use of > HTTPS as a transport-level protocol unnecessarily confusing and buggy. > I don't see putting that into the SSL module as a default, but perhaps a > utility function in that module, to check a server-side cert against a > hostname, is a good idea. > > Bill > > > Heikki Toivonen <htoivonen at spikesource.com> wrote: > >> Bill Janssen wrote: >> > OK, seems reasonable. Thanks. In the near term, can you do this with >> > M2Crypto or PyOpenSSL? >> > >> > When I started this update in 2007, we were trying to keep the API >> > simple to avoid confusing people and avoid competition with the two >> > full-fledged toolkits out there. But I don't see any real reason not to >> > extend the API a bit. >> >> Speaking as the M2Crypto maintainer, I don't mind the stdlib competing >> with M2Crypto/getting better at SSL. In fact, I would actually like to >> see the stdlib SSL implementation getting good enough so that people >> would not need M2Crypto for SSL (except maybe in special circumstances). >> There is much M2Crypto does besides SSL so this wouldn't even obsolete it. >> >> One of the main things IMO missing from stdlib SSL implementation is >> hostname checking by default (with override option), but I know you and >> I have different opinions on this. I would be happy to provide patches >> against the stdlib SSL implementation for some things M2Crypto does that >> the stdlib SSL module is missing if we could agree on the >> features/design first. Simple is good, but I'd like the defaults to be >> secure and commonly overridden things to be overrideable. >> >> -- >> Heikki Toivonen >> >> _______________________________________________ >> Python-Dev mailing list >> Python-Dev at python.org >> http://mail.python.org/mailman/listinfo/python-dev >> Unsubscribe: http://mail.python.org/mailman/options/python-dev/janssen%40parc.com > > _______________________________________________ > Python-Dev mailing list > Python-Dev at python.org > http://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: http://mail.python.org/mailman/options/python-dev/jnoller%40gmail.com >
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4