[issue25529] Provide access to the validated certificate chain in ssl module

[Berker Peksag]

Changes by Berker Peksag :


--
resolution:  -> duplicate
stage:  -> resolved
status: open -> closed
superseder:  -> Add support for retrieving the certificate chain

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25529] Provide access to the validated certificate chain in ssl module

[R. David Murray]

R. David Murray added the comment:

If there's no reply, that would be a no :)

So, pinging the issue after a month as you just did is appropriate, let's see 
if one of the openssl experts replies.

On the other hand, how is this different from issue 24107, where Crys did reply?

--
nosy: +r.david.murray

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25529] Provide access to the validated certificate chain in ssl module

[rugk]

rugk added the comment:

Oops, forgot a word:
*"seems to have until now" to "seems to have replied until now"

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25529] Provide access to the validated certificate chain in ssl module

[rugk]

rugk added the comment:

Very nice idea. But no developer/maintainer seems to have until now, so I'll 
just like to ask whether there are any news regarding this issue.

--
nosy: +rugk

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25529] Provide access to the validated certificate chain in ssl module

[Christian Heimes]

Changes by Christian Heimes :


--
nosy: +alex, christian.heimes, dstufft, giampaolo.rodola, janssen, pitrou

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25529] Provide access to the validated certificate chain in ssl module

[Cory Benfield]

New submission from Cory Benfield:

I’m currently working on adding support for HPKP to the Requests and urllib3 
modules. HPKP (HTTP Public Key Pinning), specified in RFC 7469, is an extension 
to HTTP that allows a web server to specify a whitelist of public keys that are 
valid for TLS certificates on that domain. This prevents a rogue certificate 
authority from issuing a certificate that would be trusted by a browser and 
would allow a man-in-the-middle attack on a domain (as happened to Google in 
2013[0]).

Right now, the draft version of the support I have will only work when you use 
PyOpenSSL for your TLS needs, not the standard library. This is because to get 
HPKP to work I need access to the validated certificate chain: that is, the 
certificate chain that OpenSSL has built and validated for the TLS connection. 
I also need to be able to work with those certificates in order to extract 
their public keys. The standard library’s ssl module does not expose any of 
this functionality.

To get this to work with the standard library, I would require the following 
things from the standard library:

1. The ability to access the validated certificate chain. This requires saving 
off the certificate each time the OpenSSL verify callback is called. This is an 
easy enough change to make.
2. The ability to extract the public key from the saved certificates. This 
could be done by extending the logic used for getpeercert() to provide a 
DER-encoded ASN.1 representation of the public key in the dictionary, and then 
using that representation for each cert in the peer cert chain.

The motivation for making this available in the standard library would be pip. 
Right now python.org and all its subdomains (including pypi.python.org) are 
HPKP-enabled. Making this support available in the standard library would 
ensure that all pip installations are safe from man-in-the-middle attacks on 
its packaging infrastructure. Without it, a number of third-party packages 
would be required to add this security. In particular, pip could distribute a 
HPKP preload value for pypi.python.org, which would ensure that pip is truly 
invulnerable to MITM TLS attacks via malicious attackers coercing a CA to 
provide TLS certificates for *.python.org.

I’m happy to do the work required to provide this functionality, but I’d only 
like to start work if people believe there’s a likelihood of getting it merged.

[0]: 
https://nakedsecurity.sophos.com/2013/01/08/the-turktrust-ssl-certificate-fiasco-what-happened-and-what-happens-next/

--
components: Library (Lib)
messages: 253864
nosy: Lukasa
priority: normal
severity: normal
status: open
title: Provide access to the validated certificate chain in ssl module
type: enhancement
versions: Python 3.6

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com