[issue22365] SSLContext.load_verify_locations(cadata) does not accept CRLs

[Christian Heimes]

Change by Christian Heimes :


--
assignee: christian.heimes -> 
components:  -Extension Modules
priority: normal -> low
versions: +Python 3.8 -Python 3.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue22365] SSLContext.load_verify_locations(cadata) does not accept CRLs

[Christian Heimes]

Christian Heimes added the comment:

I'd rather not overload cadata with cert and CRL loading. It makes both code 
and usage messy. How about crldata argument? This would be a new feature, 
though.

--
versions:  -Python 3.6

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue22365] SSLContext.load_verify_locations(cadata) does not accept CRLs

[Christian Heimes]

Changes by Christian Heimes :


--
assignee:  -> christian.heimes
components: +SSL

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue22365] SSLContext.load_verify_locations(cadata) does not accept CRLs

[Christian Heimes]

Changes by Christian Heimes :


--
stage:  -> needs patch
type:  -> behavior
versions: +Python 3.6, Python 3.7 -Python 3.4

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue22365] SSLContext.load_verify_locations(cadata) does not accept CRLs

[Ralph Broenink]

Ralph Broenink added the comment:

Here's a minimal example of the issue, assuming you have obtained a CRL in PEM 
format, e.g. from https://www.emulab.net/genicrl.bundle:


import ssl
context = ssl.create_default_context()

path = 'path/to/crl.crl'

# Working:
context.load_verify_locations(cafile=path)

# Not working:
with open(path, 'r') as f:
context.load_verify_locations(cadata=f.read())


Replacing the path to the CRL with a path to a CA works in both cases.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22365
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue22365] SSLContext.load_verify_locations(cadata) does not accept CRLs

[Ralph Broenink]

New submission from Ralph Broenink:

Issue #18138 added support for the cadata argument in 
SSLContext.load_verify_locations. However, this argument does not support 
certificate revocation lists (CRLs) to be added (at least not in PEM format):

ssl.SSLError: [PEM: NO_START_LINE] no start line (_ssl.c:2633)

The documentation of this method is rather vague on this subject and does not 
state explicitly this is not allowed:

This method can also load certification revocation lists (CRLs) in PEM or 
or DER format. In order to make use of CRLs, SSLContext.verify_flags must be 
configured properly.

I think CRLs should be allowed to be loaded using the cadata argument. However, 
the documentation could use some polishing too: At least one of cafile or 
capath must be specified. is outdated since the introduction of cadata.

--
components: Extension Modules
messages: 226582
nosy: Ralph.Broenink
priority: normal
severity: normal
status: open
title: SSLContext.load_verify_locations(cadata) does not accept CRLs
versions: Python 3.4

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22365
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue22365] SSLContext.load_verify_locations(cadata) does not accept CRLs

[Alex Gaynor]

Changes by Alex Gaynor alex.gay...@gmail.com:


--
nosy: +alex, christian.heimes, dstufft, giampaolo.rodola, janssen, pitrou

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22365
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com