> * Allow certificate validation. This is a bit tricky; typically > certs are validated against some database of root certificates, so you > need a whole infrastructure to maintain that database. Currently, we > don't have one, so no certs can be validated. We could add a switch > to allow auto-validation of self-signed certs pretty easily. I could > add a parameter to the SSLObject constructor which would be a filepath > for a file full of root certs (see SSL_CTX_load_verify_locations(3ssl)).
The simplest way to do verification is to allow the application to provide a set of root certs that it would like to verify against, and use the built-in OpenSSL verification procedure. The OpenSSL CAcerts file format is just a number of certificates concatenated together, separated by text headers that identify the boundary: -----BEGIN CERTIFICATE----- ... (CA certificate in base64 encoding) ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... (another CA certificate in base64 encoding) ... -----END CERTIFICATE----- ... I suggest we just use that. Applications which want something fancier are free to implement something :-). Bill _______________________________________________ Python-Dev mailing list [email protected] http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
