Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://mail.python.org/pipermail/python-dev/2013-December/130653.html below:

[Python-Dev] Verification of SSL cert and hostname made easy

• Next message: [Python-Dev] Verification of SSL cert and hostname made easy
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Am 30.11.2013 23:51, schrieb Antoine Pitrou:
> Small nit: what happens if the server_hostname is None (i.e. wasn't
> passed to context.wrap_socket())?

The code will raise an exception. My patch already implements a more
verbose ValueError that explains the cause of the problem. It's flaw in
code, that calls context.wrap_socket. Erroneous code will no longer pass
silently.

The patch also ensures a valid combination of verify_mode and
check_hostname:

>>> context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
>>> context.check_hostname = True
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ValueError: check_hostname needs a SSL context with either CERT_OPTIONAL
or CERT_REQUIRED
>>> context.verify_mode = ssl.CERT_REQUIRED
>>> context.check_hostname = True
>>> context.verify_mode = ssl.CERT_NONE
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ValueError: Cannot set verify_mode to CERT_NONE when check_hostname is
enabled.


It's only a limitation of the Python API, getpeercert() returns {} for
an unverified cert. OpenSSL can still returns the cert, though.

Christian

• Next message: [Python-Dev] Verification of SSL cert and hostname made easy
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4