New submission from Robert Kuska:
Proposed patch adds possibility to opt-out certificate verification.
Disclaimer: it is just proof of concept as the config value is hard-coded.
How it works?
This patch depends on existence of config file which holds information about
the protocol settings.
> $ cat cert-verification.conf
[https] # each protocol affected by cert-verification got its own section
verify=platform_default
Possible values for verify are:
enable - to enable certificate verification
disable - to disable certificate verification
platform_default - to use default (platform-specific) settings
Why platform_default?
This choice is for users who don't care about the security settings so they put
the decision into their platform (distro) from which they get python. In rpm we
can set package to not replace user edited configs when rpm is updated, so if
user change the default value of config the config will remain the same.
Python example:
>>> import http.client
>>> cn = http.client.HTTPSConnection('www.google.com')
>>> cn._context.verify_mode
0L # CERT_NONE
>>> # config changed to verify=enable, still same interpreter
>>> cn2 = http.client.HTTPSConnection('www.google.com')
>>> cn2._context.verify_mode
2L # CERT_REQUIRED
This is how currently works patch attached, but I guess it would make more
sense make this behave consistent within the same interpreter even when config
is changed and the change will be propagated in the next interpreter
run/service restart.
Also the patch could be changed to instead of being protocol based to be module
based, but this would need also patching the affected modules.
I open the RFE mainly to see if there is a will to implement optionable
certificate verification in upstream as it is in downstream [citation needed].
I've added some people to nosy list based on
https://docs.python.org/devguide/experts.html
----------
components: Library (Lib)
messages: 239965
nosy: alex, dstufft, haypo, janssen, ncoghlan, pitrou, rkuska
priority: normal
severity: normal
status: open
title: [RFE] Make certificate verification optionable
type: enhancement
versions: Python 3.5
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue23857>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
