Il giorno 04/feb/2013, alle ore 17:04, "Antoine Pitrou" <[email protected]> ha scritto:
> > Hi, > >> Il giorno 04/feb/2013, alle ore 16:02, Laurens Van Houtven <[email protected]> ha >> scritto: >> >>> On Mon, Feb 4, 2013 at 3:51 PM, Giovanni Bajo <[email protected]> wrote: >>>> >>>> >>>> (That reminds me; does the stdlib still ignore OCSP?) >>>> >>>> TBH, it's worse than that; it doesn't even check SSL certificates by >>>> default. The default is to ignore any certificate sent by the server >>>> and get on with the connection. >>> >>> Right, but IIUC you can at least convince it to do verify certs by >>> setting the appropriate flag; >> >> Something like that; it's missing an (auto-updating) CA bundle or a way to >> read the operating system's one, and a function that matches the server >> name with either CN and SAN fields with the correct wildcard rules (this >> was added in Python 3.2). > > SSLContext is your friend: > http://docs.python.org/3.3/library/ssl.html#ssl.SSLContext.set_default_verify_paths Thanks for the pointer, but that's 3.2+ only. We need a working solution for all versions supported by pip, if we treat is as a security bug (I think we should). > If you want to maintain a CA bundle that would be shipped with Python, this > can be discussed on python-dev. Thanks, but I don't know I'll have time for this. On the contrary, as I already stated, I'm volunteering for doing some work on pip/PyPI. -- Giovanni Bajo :: [email protected] Develer S.r.l. :: http://www.develer.com My Blog: http://giovanni.bajo.it
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
