Python OpenSSL library
in [Python]
|
From: Antoine Pitrou on 15 Jun 2010 16:27 On Mon, 14 Jun 2010 19:47:49 +0100 Nobody <nobody(a)nowhere.com> wrote: > On Mon, 14 Jun 2010 10:43:02 -0700, John Nagle wrote: > > > The new SSL module in Python 2.6 > > There isn't an SSL module in Python 2.6. There is a module named "ssl" > which pretends to implement SSL, but in fact doesn't. What do you mean by "doesn't"? Can you point to an open bug report describing the issue?
From: geremy condra on 15 Jun 2010 16:40 On Tue, Jun 15, 2010 at 1:27 PM, Antoine Pitrou <solipsis(a)pitrou.net> wrote: > On Mon, 14 Jun 2010 19:47:49 +0100 > Nobody <nobody(a)nowhere.com> wrote: >> On Mon, 14 Jun 2010 10:43:02 -0700, John Nagle wrote: >> >> > The new SSL module in Python 2.6 >> >> There isn't an SSL module in Python 2.6. There is a module named "ssl" >> which pretends to implement SSL, but in fact doesn't. > > What do you mean by "doesn't"? > Can you point to an open bug report describing the issue? He's describing the lack of hostname checking, discussed here[0], here[1], and in my pycon lightning talk last year, wherever those are kept. My understanding is that it has led to vulnerabilities in code deployed by Red Hat and several other vendors; if you need to speak with them I can probably get the people involved in that effort to come forward privately. Both the lead for M2Crypto and the authors of zc.ssl have publicly stated that this needs to be fixed. Geremy Condra [0] http://mail.python.org/pipermail/python-list/2010-April/1242166.html [1] http://bugs.python.org/issue1589
From: Antoine Pitrou on 15 Jun 2010 16:57 Hello, > He's describing the lack of hostname checking, discussed here[0], > here[1], and in my pycon lightning talk last year, wherever those > are kept. Ok, thank you. I have tried to put some effort into the py3k ssl docs, so that security issues get mentioned: http://docs.python.org/dev/py3k/library/ssl.html#security-considerations Any improvement or correction is welcome. Also, following issue1589 (certificate hostname checking), I think it would be useful at least to provide the necessary helper functions in order to check certificate conformity, even if they aren't called implicitly. I would encourage interested people to provide a patch for the py3k ssl module, and will gladly review it. Regards Antoine.
From: geremy condra on 15 Jun 2010 17:14 On Tue, Jun 15, 2010 at 1:57 PM, Antoine Pitrou <solipsis(a)pitrou.net> wrote: > > Hello, > >> He's describing the lack of hostname checking, discussed here[0], >> here[1], and in my pycon lightning talk last year, wherever those >> are kept. > > Ok, thank you. > I have tried to put some effort into the py3k ssl docs, so that security > issues get mentioned: > http://docs.python.org/dev/py3k/library/ssl.html#security-considerations > Any improvement or correction is welcome. Could similar notifications be added to urllib, etc? That's where people really get bitten badly by this. > Also, following issue1589 (certificate hostname checking), I think it > would be useful at least to provide the necessary helper functions in > order to check certificate conformity, even if they aren't called > implicitly. I would encourage interested people to provide a patch for > the py3k ssl module, and will gladly review it. I'm not sure what this fixes if it doesn't get used in the higher-level modules, but I can ask if anybody is interested. Geremy Condra
From: Antoine Pitrou on 15 Jun 2010 17:25
On Tue, 15 Jun 2010 14:14:08 -0700 geremy condra <debatem1(a)gmail.com> wrote: > > > > Ok, thank you. > > I have tried to put some effort into the py3k ssl docs, so that security > > issues get mentioned: > > http://docs.python.org/dev/py3k/library/ssl.html#security-considerations > > Any improvement or correction is welcome. > > Could similar notifications be added to urllib, etc? That's where > people really get bitten badly by this. I suppose so, although I'm not responsible for these modules. > > Also, following issue1589 (certificate hostname checking), I think it > > would be useful at least to provide the necessary helper functions in > > order to check certificate conformity, even if they aren't called > > implicitly. I would encourage interested people to provide a patch for > > the py3k ssl module, and will gladly review it. > > I'm not sure what this fixes if it doesn't get used in the higher-level > modules, but I can ask if anybody is interested. Actually it could be used, at least optionally, by the higher-level modules (I'm not sure it can always be enabled by default, although security-wise it would certainly be preferrable). Regards Antoine. |