[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate
Andreas Hasenack added the comment: do it automatically. Unfortunately, that means that client-side certificate verification has to be done (it's pointless to look at the data in unverified certificates), and that means that the client software has to have an appropriate collection of root certificates to verify against. I But the current API already has this feature: ssl_sock = ssl.wrap_socket(s, ca_certs=/etc/pki/tls/rootcerts/%s % cert, cert_reqs=ssl.CERT_REQUIRED) So this is already taken care of with ca_certs and cert_reqs, right? __ Tracker [EMAIL PROTECTED] http://bugs.python.org/issue1589 __ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate
Andreas Hasenack added the comment:
At the least it should be made clear in the documentation that the
hostname is not checked against the commonName nor the subjectAltName
fields of the server certificate. And add some sample code to the
documentation for doing a simple check. Something like this, to illustrate:
def get_subjectAltName(cert):
if not cert.has_key('subjectAltName'):
return []
ret = []
for rdn in cert['subjectAltName']:
if rdn[0].lower() == 'dns' or rdn[0][:2].lower() == 'ip':
ret.append(rdn[1])
return ret
def get_commonName(cert):
if not cert.has_key('subject'):
return []
ret = []
for rdn in cert['subject']:
if rdn[0][0].lower() == 'commonname':
ret.append(rdn[0][1])
return ret
def verify_hostname(cert, host):
cn = get_commonName(cert)
san = get_subjectAltName(cert)
return (host in cn) or (host in san)
__
Tracker [EMAIL PROTECTED]
http://bugs.python.org/issue1589
__
___
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue1581] xmlrpclib.ServerProxy() doesn't use x509 data
Andreas Hasenack added the comment:
The only difference between xmlrpclib.py from trunk and 2.5.1 is in the
Marshaller class. Unrelated, as far as I can see.
Note that it seems that the intent of the original code was to support
this x509-dict all along:
$ grep -n x509 xmlrpclib.py.trunk
1224:# Host may be a string, or a (host, x509-dict) tuple; if a string,
1228:# @param host Host descriptor (URL or (URL, x509 info) tuple).
1230:# x509 info). The header and x509 fields may be None.
1234:x509 = {}
1236:host, x509 = host
1251:return host, extra_headers, x509
1262:host, extra_headers, x509 = self.get_host_info(host)
1282:host, extra_headers, x509 = self.get_host_info(host)
1362:# host may be a string, or a (host, x509-dict) tuple
1364:host, extra_headers, x509 = self.get_host_info(host)
1372:return HTTPS(host, None, **(x509 or {}))
Basically just the ServerProxy constructor doesn't support it. One would
have to create a new class with a new constructor just because of it.
That's why I opened this ticket.
__
Tracker [EMAIL PROTECTED]
http://bugs.python.org/issue1581
__
___
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate
New submission from Andreas Hasenack:
(I hope I used the correct component for this report)
http://pypi.python.org/pypi/ssl/
I used the client example shown at
http://docs.python.org/dev/library/ssl.html#client-side-operation to
connect to a bank site called www.realsecureweb.com.br at
200.208.16.101. Its certificate signed by verisign. My OpenSSL has this
CA at /etc/pki/tls/rootcerts/verisign-inc-class-3-public-primary.pem.
The verification works.
If I make up a hostname called something else, like wwws, and place it
in /etc/hosts pointing to that IP address, the SSL connection should not
be established because that name doesn't match the common name field in
the server certificate. But the SSL module happily connects to it
(excerpt below):
cert = verisign-inc-class-3-public-primary.pem
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ssl_sock = ssl.wrap_socket(s,
ca_certs=/etc/pki/tls/rootcerts/%s % cert,
cert_reqs=ssl.CERT_REQUIRED)
ssl_sock.connect(('wwws', 443))
print repr(ssl_sock.getpeername())
output:
('200.208.16.101', 443)
('RC4-MD5', 'TLSv1/SSLv3', 128)
{'notAfter': 'Sep 10 23:59:59 2008 GMT',
'subject': ((('countryName', u'BR'),),
(('stateOrProvinceName', u'Sao Paulo'),),
(('localityName', u'Sao Paulo'),),
(('organizationName', u'Banco ABN AMRO Real SA'),),
(('organizationalUnitName', u'TI Internet PF e PJ'),),
(('commonName', u'www.realsecureweb.com.br'),))}
If I now open, say, a firefox window and point it to https://wwws;, it
gives me the expected warning that the hostname doesn't match the
certificate.
I'll attach the verisign CA certificate to make it easier to reproduce
the error.
--
components: Library (Lib)
files: verisign-inc-class-3-public-primary.pem
messages: 58434
nosy: ahasenack
severity: normal
status: open
title: New SSL module doesn't seem to verify hostname against commonName in
certificate
type: security
versions: Python 2.6
Added file:
http://bugs.python.org/file8924/verisign-inc-class-3-public-primary.pem
__
Tracker [EMAIL PROTECTED]
http://bugs.python.org/issue1589
__
verisign-inc-class-3-public-primary.pem
Description: application/x509-ca-cert
___
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate
Andreas Hasenack added the comment: Ups, typo in the script: cert = verisign-inc-class-3-public-primary.pem __ Tracker [EMAIL PROTECTED] http://bugs.python.org/issue1589 __ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue1581] xmlrpclib.ServerProxy() doesn't use x509 data
New submission from Andreas Hasenack:
I was trying to use xmlrpclib.ServerProxy() with https and client
certificate validation (I know httplib doesn't do server certificate
validation yet). I found no way to pass on host/uri as a
(host,x509_dict) tuple as the connection methods support, so I came up
with this patch.
--
components: Library (Lib)
files: xmlrpclib-x509.patch
messages: 58363
nosy: ahasenack
severity: minor
status: open
title: xmlrpclib.ServerProxy() doesn't use x509 data
type: behavior
versions: Python 2.5
Added file: http://bugs.python.org/file8911/xmlrpclib-x509.patch
__
Tracker [EMAIL PROTECTED]
http://bugs.python.org/issue1581
__--- xmlrpclib.py.orig 2007-12-10 17:00:49.0 -0200
+++ xmlrpclib.py 2007-12-10 17:37:55.0 -0200
@@ -1185,6 +1185,7 @@
errcode, errmsg, headers = h.getreply()
if errcode != 200:
+host, extra, x509 = self.get_host_info(host)
raise ProtocolError(
host + handler,
errcode, errmsg,
@@ -1382,7 +1383,8 @@
uri [,options] - a logical connection to an XML-RPC server
uri is the connection point on the server, given as
-scheme://host/target.
+scheme://host/target. It can also be a tuple of the form (uri,x509_dict)
+where x509_dict is a dictionary specifying files for SSL key and certificate.
The standard implementation always supports the http scheme. If
SSL socket support is available (Python 2.0), it also supports
@@ -1404,12 +1406,17 @@
allow_none=0, use_datetime=0):
# establish a logical server connection
+x509 = {}
# get the url
import urllib
+if isinstance(uri, TupleType):
+uri, x509 = uri
type, uri = urllib.splittype(uri)
if type not in (http, https):
raise IOError, unsupported XML-RPC protocol
self.__host, self.__handler = urllib.splithost(uri)
+if x509:
+self.__host = (self.__host, x509)
if not self.__handler:
self.__handler = /RPC2
___
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue1114345] Add SSL certificate validation
Changes by Andreas Hasenack: -- nosy: +ahasenack _ Tracker [EMAIL PROTECTED] http://bugs.python.org/issue1114345 _ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
