On Tue, Jun 15, 2010 at 1:27 PM, Antoine Pitrou <solip...@pitrou.net> wrote: > On Mon, 14 Jun 2010 19:47:49 +0100 > Nobody <nob...@nowhere.com> wrote: >> On Mon, 14 Jun 2010 10:43:02 -0700, John Nagle wrote: >> >> > The new SSL module in Python 2.6 >> >> There isn't an SSL module in Python 2.6. There is a module named "ssl" >> which pretends to implement SSL, but in fact doesn't. > > What do you mean by "doesn't"? > Can you point to an open bug report describing the issue?
He's describing the lack of hostname checking, discussed here[0], here[1], and in my pycon lightning talk last year, wherever those are kept. My understanding is that it has led to vulnerabilities in code deployed by Red Hat and several other vendors; if you need to speak with them I can probably get the people involved in that effort to come forward privately. Both the lead for M2Crypto and the authors of zc.ssl have publicly stated that this needs to be fixed. Geremy Condra [0] http://mail.python.org/pipermail/python-list/2010-April/1242166.html [1] http://bugs.python.org/issue1589 -- http://mail.python.org/mailman/listinfo/python-list
