[issue24646] Python accepts SSL certificate that should be rejected on OSX

2016-09-09 Thread Ned Deily
Ned Deily added the comment: We will no longer use the OS X system OpenSSL for 3.6. -- resolution: not a bug -> third party stage: -> resolved status: pending -> closed ___ Python tracker

[issue24646] Python accepts SSL certificate that should be rejected on OSX

2016-09-08 Thread Christian Heimes
Christian Heimes added the comment: I think this bug is no longer relevant with Python 3.5 and newer. We no longer use system OpenSSL in our Python builds. Ned, is that right? -- assignee: -> ned.deily resolution: -> not a bug status: open -> pending

[issue24646] Python accepts SSL certificate that should be rejected on OSX

2015-07-24 Thread Ned Deily
Ned Deily added the comment: Ronald, FWIW, your test program seems to work without crashing on both 10.6 and 10.8; not surprisingly, it failed to compile on 10.5 (no 'errSecSuccess'). -- ___ Python tracker rep...@bugs.python.org

[issue24646] Python accepts SSL certificate that should be rejected on OSX

2015-07-22 Thread Ronald Oussoren
Ronald Oussoren added the comment: The attached program (which is pure C except for a call to NSLog) calls SecTrustCopyAnchorCertificates in a child process (and with a minor change the other function as well). This doesn't crash for me. However, that doesn't really mean anything: We know

[issue24646] Python accepts SSL certificate that should be rejected on OSX

2015-07-20 Thread Ronald Oussoren
Ronald Oussoren added the comment: Using our own OpenSSL build should be saver in the long run anyway. Apple provides enough API’s to reproduce the behaviour of Apple’s build in a cleaner way (by making the loading of system CA certs an explicit action). Problem is: that likely requires

[issue24646] Python accepts SSL certificate that should be rejected on OSX

2015-07-20 Thread Ronald Oussoren
Ronald Oussoren added the comment: BTW. I think someone (me?) should write down the problems with using higher levels in the API stack w.r.t. os.fork in a PEP-style document. This can then be used to decide whether or not we want to use such APIs in the stdlib (and if so, what should be

[issue24646] Python accepts SSL certificate that should be rejected on OSX

2015-07-20 Thread Christian Heimes
Christian Heimes added the comment: It's a platform bug but Apple doesn't consider it a bug. Hynek has analyzed and reported it over a year ago: https://hynek.me/articles/apple-openssl-verification-surprises/ -- nosy: +christian.heimes ___ Python

[issue24646] Python accepts SSL certificate that should be rejected on OSX

2015-07-20 Thread Christian Heimes
Christian Heimes added the comment: Ronald: Can you check if SecTrustSettingsCopyCertificates() or SecTrustCopyAnchorCertificates() are affected by the fork() issue? -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24646

[issue24646] Python accepts SSL certificate that should be rejected on OSX

2015-07-20 Thread Ronald Oussoren
Ronald Oussoren added the comment: I'll check, but they probably are because the use data structures from CoreFoundation. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24646 ___

[issue24646] Python accepts SSL certificate that should be rejected on OSX

2015-07-17 Thread Ronald Oussoren
Ronald Oussoren added the comment: The fork of OpenSSL that Apple ships also looks at the CA list in the Keychain. IIRC that cannot be disabled. BTW. Annoyingly this fork uses a private API to access the keychain, which means we couldn't optionally use this behavior when not using Apple's

[issue24646] Python accepts SSL certificate that should be rejected on OSX

2015-07-17 Thread Antoine Pitrou
Antoine Pitrou added the comment: Do we know exactly why OS X's OpenSSL accepts it? -- nosy: +ned.deily, pitrou, ronaldoussoren ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24646 ___

[issue24646] Python accepts SSL certificate that should be rejected on OSX

2015-07-17 Thread Ned Deily
Ned Deily added the comment: And the tradeoff for supplying private copies of newer OpenSSL libs with the Pythons installed by python.org OS X installers is that we would then need to solve the CA management problem for all users of those Pythons. So far there hasn't been a good solution to

[issue24646] Python accepts SSL certificate that should be rejected on OSX

2015-07-17 Thread Donald Stufft
Donald Stufft added the comment: For what it's worth, the El Capitan Beta's apparently don't ship with OpenSSL headers anymore though they do still ship with the dylibs. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24646

[issue24646] Python accepts SSL certificate that should be rejected on OSX

2015-07-17 Thread Ned Deily
Ned Deily added the comment: For what it's worth, the El Capitan Beta's apparently don't ship with OpenSSL headers anymore though they do still ship with the dylibs. Hmm, I had tested installing existing python.org binary releases with the first DPs of 10.11 and I *thought* I had tested

[issue24646] Python accepts SSL certificate that should be rejected on OSX

2015-07-16 Thread Jussi Pakkanen
New submission from Jussi Pakkanen: Create a dummy certificate and build an ssl context like this: ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) ctx.verify_mode = ssl.CERT_REQUIRED ctx.load_verify_locations(cadata=dummy_certificate) Then try to connect to a public service like this: u =