[issue22417] PEP 476: verify HTTPS certificates by default

2017-01-04 Thread Christian Heimes

Christian Heimes added the comment:

Carlos, you are correct. Please create a new issue and make it a documentation 
issue for 2.7. Thanks!

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue22417] PEP 476: verify HTTPS certificates by default

2017-01-03 Thread Carlos Alberto Lopez Perez

Carlos Alberto Lopez Perez added the comment:

The python 2.7 documentation for urrlib still has a big warning notice at the 
top saying:

"""
Warning

When opening HTTPS URLs, it does not attempt to validate the server 
certificate. Use at your own risk! 
"""
^^ https://docs.python.org/2/library/urllib.html

I believe this is incorrect since this patch was backported to the 2.7  branch. 
I checked it, and it verifies SSL certs by default.


I guess the documentation for urllib should be updated to remove that warning?

--
nosy: +clopez

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue22417] PEP 476: verify HTTPS certificates by default

2014-11-23 Thread Benjamin Peterson

Changes by Benjamin Peterson :


--
resolution:  -> fixed
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue22417] PEP 476: verify HTTPS certificates by default

2014-11-23 Thread Roundup Robot

Roundup Robot added the comment:

New changeset fb83916c3ea1 by Benjamin Peterson in branch '2.7':
pep 476: verify certificates by default (#22417)
https://hg.python.org/cpython/rev/fb83916c3ea1

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue22417] PEP 476: verify HTTPS certificates by default

2014-11-23 Thread Alex Gaynor

Alex Gaynor added the comment:

Attached patch backports this to 2.7.

--
Added file: http://bugs.python.org/file37261/issue22417.diff

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue22417] PEP 476: verify HTTPS certificates by default

2014-11-13 Thread koobs

koobs added the comment:

Builds failing on koobs-freebsd9 buildbot for:

3.x: since revision b2c17681404f80edae2ee4846db701104d942cc4
3.4: since revision 246c9570a75798a4757001620cf92cc8d2eba684

Attaching both initial build failure test logs.

--
nosy: +koobs
Added file: 
http://bugs.python.org/file37192/koobs-freebsd9.python3x-build2357.log

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue22417] PEP 476: verify HTTPS certificates by default

2014-11-03 Thread Benjamin Peterson

Benjamin Peterson added the comment:

Somehow the Windows bots are failing to verify python.org 
http://buildbot.python.org/all/builders/x86%20XP-4%203.x/builds/11179/steps/test/logs/stdio

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue22417] PEP 476: verify HTTPS certificates by default

2014-11-03 Thread Benjamin Peterson

Benjamin Peterson added the comment:

Okay, 3.4/3.5 have been dealt with. I had to hack up test_logging a bit. 
(#22788 would make that better). 2.7 now needs a backport.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue22417] PEP 476: verify HTTPS certificates by default

2014-11-03 Thread Roundup Robot

Roundup Robot added the comment:

New changeset 2afe5413d7af by Benjamin Peterson in branch '3.4':
PEP 476: enable HTTPS certificate verification by default (#22417)
https://hg.python.org/cpython/rev/2afe5413d7af

New changeset 731375f83406 by Benjamin Peterson in branch 'default':
merge 3.4 (#22417)
https://hg.python.org/cpython/rev/731375f83406

--
nosy: +python-dev

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue22417] PEP 476: verify HTTPS certificates by default

2014-11-03 Thread Alex Gaynor

Alex Gaynor added the comment:

Fix for the failing test_ssl testes.

--
Added file: http://bugs.python.org/file37123/issue22417.diff

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue22417] PEP 476: verify HTTPS certificates by default

2014-11-03 Thread Alex Gaynor

Alex Gaynor added the comment:

Latest patch fixes the urllib2_localnet tests.

--
Added file: http://bugs.python.org/file37122/issue22417.diff

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue22417] PEP 476: verify HTTPS certificates by default

2014-11-03 Thread Benjamin Peterson

Benjamin Peterson added the comment:

% ./python Lib/test/regrtest.py -v test_urllib2_localnet
== CPython 3.4.2+ (3.4:7be6ef737aaf+, Nov 3 2014, 10:03:11) [GCC 4.8.3]
==   
Linux-3.16.5-gentoo-x86_64-Intel-R-_Core-TM-_i7-2860QM_CPU_@_2.50GHz-with-gentoo-2.2
 little-endian
==   hash algorithm: siphash24 64bit
==   /home/benjamin/dev/python/3.4/build/test_python_28724
Testing with flags: sys.flags(debug=0, inspect=0, interactive=0, optimize=0, 
dont_write_bytecode=0, no_user_site=0, no_site=0, ignore_environment=0, 
verbose=0, bytes_warning=0, quiet=0, hash_randomization=1, isolated=0)
[1/1] test_urllib2_localnet
test_basic_auth_httperror (test.test_urllib2_localnet.BasicAuthTests) ... ok
test_basic_auth_success (test.test_urllib2_localnet.BasicAuthTests) ... ok
test_proxy_qop_auth_int_works_or_throws_urlerror 
(test.test_urllib2_localnet.ProxyAuthTests) ... ok
test_proxy_qop_auth_works (test.test_urllib2_localnet.ProxyAuthTests) ... ok
test_proxy_with_bad_password_raises_httperror 
(test.test_urllib2_localnet.ProxyAuthTests) ... ok
test_proxy_with_no_password_raises_httperror 
(test.test_urllib2_localnet.ProxyAuthTests) ... ok
test_200 (test.test_urllib2_localnet.TestUrlopen) ... ok
test_200_with_parameters (test.test_urllib2_localnet.TestUrlopen) ... ok
test_404 (test.test_urllib2_localnet.TestUrlopen) ... ok
test_bad_address (test.test_urllib2_localnet.TestUrlopen) ... skipped "Use of 
the 'network' resource not enabled"
test_basic (test.test_urllib2_localnet.TestUrlopen) ... ok
test_chunked (test.test_urllib2_localnet.TestUrlopen) ... ok
test_geturl (test.test_urllib2_localnet.TestUrlopen) ... ok
test_https (test.test_urllib2_localnet.TestUrlopen) ... Got an error:
[SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:600)
stopping HTTPS server
joining HTTPS thread
ERROR
test_https_sni (test.test_urllib2_localnet.TestUrlopen) ... Got an error:
[SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:600)
stopping HTTPS server
joining HTTPS thread
ERROR
test_https_with_cadefault (test.test_urllib2_localnet.TestUrlopen) ... stopping 
HTTPS server
Got an error:
[SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:600)
joining HTTPS thread
ok
test_https_with_cafile (test.test_urllib2_localnet.TestUrlopen) ... Got an 
error:
[SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:600)
stopping HTTPS server
joining HTTPS thread
stopping HTTPS server
joining HTTPS thread
ok
test_info (test.test_urllib2_localnet.TestUrlopen) ... ok
test_iteration (test.test_urllib2_localnet.TestUrlopen) ... ok
test_line_iteration (test.test_urllib2_localnet.TestUrlopen) ... ok
test_redirection (test.test_urllib2_localnet.TestUrlopen) ... ok
test_sending_headers (test.test_urllib2_localnet.TestUrlopen) ... ok

==
ERROR: test_https (test.test_urllib2_localnet.TestUrlopen)
--
Traceback (most recent call last):
  File "/home/benjamin/dev/python/3.4/Lib/urllib/request.py", line 1182, in 
do_open
h.request(req.get_method(), req.selector, req.data, headers)
  File "/home/benjamin/dev/python/3.4/Lib/http/client.py", line 1090, in request
self._send_request(method, url, body, headers)
  File "/home/benjamin/dev/python/3.4/Lib/http/client.py", line 1128, in 
_send_request
self.endheaders(body)
  File "/home/benjamin/dev/python/3.4/Lib/http/client.py", line 1086, in 
endheaders
self._send_output(message_body)
  File "/home/benjamin/dev/python/3.4/Lib/http/client.py", line 924, in 
_send_output
self.send(msg)
  File "/home/benjamin/dev/python/3.4/Lib/http/client.py", line 859, in send
self.connect()
  File "/home/benjamin/dev/python/3.4/Lib/http/client.py", line 1230, in connect
server_hostname=sni_hostname)
  File "/home/benjamin/dev/python/3.4/Lib/ssl.py", line 364, in wrap_socket
_context=self)
  File "/home/benjamin/dev/python/3.4/Lib/ssl.py", line 584, in __init__
self.do_handshake()
  File "/home/benjamin/dev/python/3.4/Lib/ssl.py", line 811, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed 
(_ssl.c:600)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/benjamin/dev/python/3.4/Lib/test/test_urllib2_localnet.py", line 
548, in test_https
data = self.urlopen("https://localhost:%s/bizarre"; % handler.port)
  File "/home/benjamin/dev/python/3.4/Lib/test/test_urllib2_localnet.py", line 
455, in urlopen
f = urllib.request.urlopen(url, data, **kwargs)
  File "/home/benjamin/dev/python/3.4/Lib/urllib/request.py", line 161, in 
urlopen
return opener.open(url, data, timeout)
  File "/home/benjamin/dev/python/3.4/Lib/urllib/request.py", line 463, in open
response = self._open(req, data)
  File "/home/benjamin/dev/python/3.4/Lib/urllib/request.py", line 481, in _open
'_open', req)
  File "/home/

[issue22417] PEP 476: verify HTTPS certificates by default

2014-11-02 Thread Alex Gaynor

Alex Gaynor added the comment:

New patch uses self-signed.pythontest.net, instead of svn.python.org. 
svn.python.org is signed by CACert, which is in the root on some machines.

--
Added file: http://bugs.python.org/file37113/issue22417.diff

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue22417] PEP 476: verify HTTPS certificates by default

2014-10-31 Thread Alex Gaynor

Alex Gaynor added the comment:

New version of the patch based on feedback from benjamin, should make it easier 
to do the 3.4 branch stuff.

--
Added file: http://bugs.python.org/file37094/issue22417.diff

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue22417] PEP 476: verify HTTPS certificates by default

2014-10-30 Thread Alex Gaynor

Alex Gaynor added the comment:

Updates to teh docs based on teh feedback from Antoine.

--
Added file: http://bugs.python.org/file37081/issue22417.diff

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue22417] PEP 476: verify HTTPS certificates by default

2014-10-30 Thread Alex Gaynor

Alex Gaynor added the comment:

Patch now makes more precise assertions about the type of error that's 
occurring.

--
Added file: http://bugs.python.org/file37077/issue22417.diff

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue22417] PEP 476: verify HTTPS certificates by default

2014-10-13 Thread Alex Gaynor

Alex Gaynor added the comment:

Patch with the implementation, and initial work on documentation. Needs review 
please, I suspect we need more docs in more places. Feedback please!

--
keywords: +needs review
Added file: http://bugs.python.org/file36901/issue22417.diff

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue22417] PEP 476: verify HTTPS certificates by default

2014-10-13 Thread Raúl Cumplido

Changes by Raúl Cumplido :


--
nosy: +raulcd

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue22417] PEP 476: verify HTTPS certificates by default

2014-09-25 Thread Jesús Cea Avión

Changes by Jesús Cea Avión :


--
nosy: +jcea

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue22417] PEP 476: verify HTTPS certificates by default

2014-09-21 Thread Arfrever Frehtes Taifersar Arahesis

Changes by Arfrever Frehtes Taifersar Arahesis :


--
nosy: +Arfrever

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue22417] PEP 476: verify HTTPS certificates by default

2014-09-20 Thread Christian Heimes

Changes by Christian Heimes :


--
nosy: +christian.heimes

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue22417] PEP 476: verify HTTPS certificates by default

2014-09-19 Thread Nick Coghlan

Nick Coghlan added the comment:

Currently marking as a deferred blocker, as Alex wasn't sure he'd be able to 
get PEP 476 fully updated in time for 3.4.2rc1, and was willing to accept 
waiting for 2.7.9 and 3.4.3 rather than delaying 3.4.2 any further.

However, that was before Senthil accepted the patch in 22366 for 3.5, which 
means we're at "feature complete" for the proposed changes.

There's still the issue 22366 backport patch, PEP update, docs updates and 
What's New updates to go, so assigning to Alex to decide if he wants to work 
with Larry to get this ready to go for 3.4.2 (noting that the PEP still needs 
the final tick of approval from Guido after being updated to reflect the 
proposed implementation).

Otherwise we can get it ready for 2.7.9 with the other SSL changes, and it will 
appear in the 3.4.3 maintenance release, rather than 3.4.2.

(Note that I'm busy most of this weekend, so +1 from me in advance if you 
decide to go ahead with getting it into 3.4.2)

--
assignee:  -> alex
dependencies: +urllib.request.urlopen shoudl take a "context" (SSLContext) 
argument
nosy: +benjamin.peterson
priority: high -> deferred blocker
versions: +Python 2.7, Python 3.4, Python 3.5

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue22417] PEP 476: verify HTTPS certificates by default

2014-09-18 Thread Jakub Wilk

Changes by Jakub Wilk :


--
nosy: +jwilk

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue22417] PEP 476: verify HTTPS certificates by default

2014-09-17 Thread Senthil Kumaran

Changes by Senthil Kumaran :


--
nosy: +orsenthil

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue22417] PEP 476: verify HTTPS certificates by default

2014-09-15 Thread Alex Gaynor

Changes by Alex Gaynor :


--
nosy: +dstufft

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue22417] PEP 476: verify HTTPS certificates by default

2014-09-15 Thread Nick Coghlan

New submission from Nick Coghlan:

Attached minimal patch updates http.client.HTTPSConnection to validate certs by 
default and adjusts test.test_httplib accordingly.

It doesn't currently include any docs changes, or changes to urllib.

The process wide "revert to the old behaviour" hook is to monkeypatch the ssl 
module:

ssl._create_default_https_context = ssl._create_unverified_context

To monkeypatch the stdlib to validate *everything* (this one isn't new, just 
noting it for the record):

ssl._create_stdlib_context = ssl.create_default_context

--
files: pep476_minimal_implementation.diff
keywords: patch
messages: 226912
nosy: alex, larry, ncoghlan
priority: high
severity: normal
status: open
title: PEP 476: verify HTTPS certificates by default
type: enhancement
Added file: http://bugs.python.org/file36624/pep476_minimal_implementation.diff

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com