Antoine Pitrou <pit...@free.fr> added the comment: Hello,
> I added some extra verification to Mercurial > (http://www.selenic.com/hg/rev/f2937d6492c5). Feel free to use the > following under the Python license in Python or elsewhere. It could be > a separate method/function or it could integrated in wrap_socket and > controlled by a keyword. I would appreciate if you find the > implementation insufficient or incorrect. Thank you, I'll take a look! > Are CRLs checked by the SSL module? Otherwise it deserves a big fat > warning. They are not, but AFAIK most browsers don't check CRLs either... (or, rather they don't download updated CRLs) > (I now assume that notBefore is handled by the SSL module and > shouldn't be checked here.) I can't say for sure, but OpenSSL seems to handle both notBefore and notAfter as part of its cert verification routine (see interval_verify() and cert_check_time() in crypto/x509/x509_vfy.c). ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue1589> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
