On 2016-09-10 18:24, Donald Stufft wrote: > >> On Sep 10, 2016, at 10:22 AM, Christian Heimes <christ...@python.org> wrote: >> >> I don't load any certs because it is not possible to remove a cert or >> X509 lookup once it is loaded. create_default_context() just have to >> load the certs and set more secure ciper suites. > > > This part is the most concerning to me, though I understand why it’s the > case. Perhaps we can do something a little tricky to allow both things to > happen? IOW do sort of a late binding of a call to loading the default > certificates if no other certificates has been loaded when the call to > SSLContext().wrap_socket() has been made. > > So we’d do something like: > > > class SSLContext: > def __init__(self, …): > self._loaded_certificates = False > … # Do Other Stuff > > def load_default_certs(self, …): > self._loaded_certificates = True > … # Do Other Stuff > > def load_verify_locations(self, …): > self._loaded_certificates = True > … # Do Other Stuff > > def wrap_socket(self, …): > if not self._loaded_certificates: > self.load_default_certs() > > … # Do Other Stuff > > > That way if someone does something like: > > ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) > ctx.load_verify_locations(cafile=“…”) > ctx.wrap_socket(…) > > Then they don’t get any default certificates added, HOWEVER if they do: > > ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) > ctx.wrap_socket(…) > > Then they do. > > The main draw back I can see with this is that you can’t wrap a socket and > then add certificates after the fact… but I don’t even know if that makes > sense to do?
It's a bit too clever and tricky for my taste. I prefer 'explicit is better than implicit' for trust anchors. My main concern are secure default settings. A SSLContext should be secure w/o further settings in order to prevent developers to shoot themselves in the knee. Missing root certs are not a direct security issue with CERT_REQUIRED. The connection will simply fail. I'd rather improve the error message than to auto-load certs. Christian _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
