[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate
Andreas Hasenack added the comment: do it automatically. Unfortunately, that means that client-side certificate verification has to be done (it's pointless to look at the data in unverified certificates), and that means that the client software has to have an appropriate collection of root certificates to verify against. I But the current API already has this feature: ssl_sock = ssl.wrap_socket(s, ca_certs=/etc/pki/tls/rootcerts/%s % cert, cert_reqs=ssl.CERT_REQUIRED) So this is already taken care of with ca_certs and cert_reqs, right? __ Tracker [EMAIL PROTECTED] http://bugs.python.org/issue1589 __ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate
Andreas Hasenack added the comment: At the least it should be made clear in the documentation that the hostname is not checked against the commonName nor the subjectAltName fields of the server certificate. And add some sample code to the documentation for doing a simple check. Something like this, to illustrate: def get_subjectAltName(cert): if not cert.has_key('subjectAltName'): return [] ret = [] for rdn in cert['subjectAltName']: if rdn[0].lower() == 'dns' or rdn[0][:2].lower() == 'ip': ret.append(rdn[1]) return ret def get_commonName(cert): if not cert.has_key('subject'): return [] ret = [] for rdn in cert['subject']: if rdn[0][0].lower() == 'commonname': ret.append(rdn[0][1]) return ret def verify_hostname(cert, host): cn = get_commonName(cert) san = get_subjectAltName(cert) return (host in cn) or (host in san) __ Tracker [EMAIL PROTECTED] http://bugs.python.org/issue1589 __ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue1581] xmlrpclib.ServerProxy() doesn't use x509 data
Andreas Hasenack added the comment: The only difference between xmlrpclib.py from trunk and 2.5.1 is in the Marshaller class. Unrelated, as far as I can see. Note that it seems that the intent of the original code was to support this x509-dict all along: $ grep -n x509 xmlrpclib.py.trunk 1224:# Host may be a string, or a (host, x509-dict) tuple; if a string, 1228:# @param host Host descriptor (URL or (URL, x509 info) tuple). 1230:# x509 info). The header and x509 fields may be None. 1234:x509 = {} 1236:host, x509 = host 1251:return host, extra_headers, x509 1262:host, extra_headers, x509 = self.get_host_info(host) 1282:host, extra_headers, x509 = self.get_host_info(host) 1362:# host may be a string, or a (host, x509-dict) tuple 1364:host, extra_headers, x509 = self.get_host_info(host) 1372:return HTTPS(host, None, **(x509 or {})) Basically just the ServerProxy constructor doesn't support it. One would have to create a new class with a new constructor just because of it. That's why I opened this ticket. __ Tracker [EMAIL PROTECTED] http://bugs.python.org/issue1581 __ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate
New submission from Andreas Hasenack: (I hope I used the correct component for this report) http://pypi.python.org/pypi/ssl/ I used the client example shown at http://docs.python.org/dev/library/ssl.html#client-side-operation to connect to a bank site called www.realsecureweb.com.br at 200.208.16.101. Its certificate signed by verisign. My OpenSSL has this CA at /etc/pki/tls/rootcerts/verisign-inc-class-3-public-primary.pem. The verification works. If I make up a hostname called something else, like wwws, and place it in /etc/hosts pointing to that IP address, the SSL connection should not be established because that name doesn't match the common name field in the server certificate. But the SSL module happily connects to it (excerpt below): cert = verisign-inc-class-3-public-primary.pem s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) ssl_sock = ssl.wrap_socket(s, ca_certs=/etc/pki/tls/rootcerts/%s % cert, cert_reqs=ssl.CERT_REQUIRED) ssl_sock.connect(('wwws', 443)) print repr(ssl_sock.getpeername()) output: ('200.208.16.101', 443) ('RC4-MD5', 'TLSv1/SSLv3', 128) {'notAfter': 'Sep 10 23:59:59 2008 GMT', 'subject': ((('countryName', u'BR'),), (('stateOrProvinceName', u'Sao Paulo'),), (('localityName', u'Sao Paulo'),), (('organizationName', u'Banco ABN AMRO Real SA'),), (('organizationalUnitName', u'TI Internet PF e PJ'),), (('commonName', u'www.realsecureweb.com.br'),))} If I now open, say, a firefox window and point it to https://wwws;, it gives me the expected warning that the hostname doesn't match the certificate. I'll attach the verisign CA certificate to make it easier to reproduce the error. -- components: Library (Lib) files: verisign-inc-class-3-public-primary.pem messages: 58434 nosy: ahasenack severity: normal status: open title: New SSL module doesn't seem to verify hostname against commonName in certificate type: security versions: Python 2.6 Added file: http://bugs.python.org/file8924/verisign-inc-class-3-public-primary.pem __ Tracker [EMAIL PROTECTED] http://bugs.python.org/issue1589 __ verisign-inc-class-3-public-primary.pem Description: application/x509-ca-cert ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate
Andreas Hasenack added the comment: Ups, typo in the script: cert = verisign-inc-class-3-public-primary.pem __ Tracker [EMAIL PROTECTED] http://bugs.python.org/issue1589 __ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue1581] xmlrpclib.ServerProxy() doesn't use x509 data
New submission from Andreas Hasenack: I was trying to use xmlrpclib.ServerProxy() with https and client certificate validation (I know httplib doesn't do server certificate validation yet). I found no way to pass on host/uri as a (host,x509_dict) tuple as the connection methods support, so I came up with this patch. -- components: Library (Lib) files: xmlrpclib-x509.patch messages: 58363 nosy: ahasenack severity: minor status: open title: xmlrpclib.ServerProxy() doesn't use x509 data type: behavior versions: Python 2.5 Added file: http://bugs.python.org/file8911/xmlrpclib-x509.patch __ Tracker [EMAIL PROTECTED] http://bugs.python.org/issue1581 __--- xmlrpclib.py.orig 2007-12-10 17:00:49.0 -0200 +++ xmlrpclib.py 2007-12-10 17:37:55.0 -0200 @@ -1185,6 +1185,7 @@ errcode, errmsg, headers = h.getreply() if errcode != 200: +host, extra, x509 = self.get_host_info(host) raise ProtocolError( host + handler, errcode, errmsg, @@ -1382,7 +1383,8 @@ uri [,options] - a logical connection to an XML-RPC server uri is the connection point on the server, given as -scheme://host/target. +scheme://host/target. It can also be a tuple of the form (uri,x509_dict) +where x509_dict is a dictionary specifying files for SSL key and certificate. The standard implementation always supports the http scheme. If SSL socket support is available (Python 2.0), it also supports @@ -1404,12 +1406,17 @@ allow_none=0, use_datetime=0): # establish a logical server connection +x509 = {} # get the url import urllib +if isinstance(uri, TupleType): +uri, x509 = uri type, uri = urllib.splittype(uri) if type not in (http, https): raise IOError, unsupported XML-RPC protocol self.__host, self.__handler = urllib.splithost(uri) +if x509: +self.__host = (self.__host, x509) if not self.__handler: self.__handler = /RPC2 ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue1114345] Add SSL certificate validation
Changes by Andreas Hasenack: -- nosy: +ahasenack _ Tracker [EMAIL PROTECTED] http://bugs.python.org/issue1114345 _ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com