Antoine Pitrou added the comment:
I would like to reject this approach. I am still adding Christian to the CC
list, in case he has something to say about it :)
--
nosy: +christian.heimes
resolution: - rejected
status: open - closed
___
Python
Christian Heimes added the comment:
I agree with Antoine. I'm not sure what is going to happen if you use a single
SSLContext for unrelated services and different hosts -- not to mention SNI.
A while ago I tried a similar patch but I was stopped by the fact that OpenSSL
doesn't provide an API
Changes by Florian Weimer fwei...@redhat.com:
--
nosy: +fweimer
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue10441
___
___
Python-bugs-list
Nicolas Bareil n...@chdir.org added the comment:
Hello,
Your patch about SSLContext is great! But what can we do about python 2.x?
I understand that we have to keep backward compatibility but something has to
be done for improving current situation, even Paypal API (*) recommends using
Martin v. Löwis mar...@v.loewis.de added the comment:
Your patch about SSLContext is great! But what can we do about python 2.x?
Adding new features to Python 2.7 is certainly not an option.
what do you think about a DeprecationWarning at runtime?
What API exactly should this deprecate?
Nicolas Bareil n...@chdir.org added the comment:
Martin v. Löwis rep...@bugs.python.org writes:
what do you think about a DeprecationWarning at runtime?
What API exactly should this deprecate?
Ooops, lapsus. I was thinking about a RuntimeWarning raised on HTTPS
request (in
Éric Araujo mer...@netwok.org added the comment:
We tend to spend some time on documentation:
http://docs.python.org/dev/library/ssl#ssl.SSLContext.set_default_verify_paths
--
___
Python tracker rep...@bugs.python.org
david db.pub.m...@gmail.com added the comment:
Cool yeah. The documentation is good I asked the question because I
wasn't sure if it was in a pending patch elsewhere in the bug tracker
or was accepted. I guess I should have googled for it.
Thank you.
--
david db.pub.m...@gmail.com added the comment:
Thank you @loewis. However, I don't see where set_default_verify_path - is
defined in the patch you have provided.
It would also be nice to do something like this:
import ssl
...
ssl._FORCE_VERIFICATION = True
and even better would be to
Martin v. Löwis mar...@v.loewis.de added the comment:
Thank you @loewis. However, I don't see where
set_default_verify_path - is defined in the patch you have provided.
It's not defined in the patch, as it is already committed to Python.
--
title: some stdlib modules need to be
david db.pub.m...@gmail.com added the comment:
and what does it do ?
--
title: some stdlib modules need to be updated to handle SSL certificate
validation - some stdlib modules need to be updated to handle SSL certificate
validation
___
Python
Changes by Senthil Kumaran orsent...@gmail.com:
--
nosy: +orsenthil
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue10441
___
___
Python-bugs-list
david db.pub.m...@gmail.com added the comment:
Back to the main issue here :
So for python3 is it possible to make attempting to use capath(some
common ones OR the openssl location capath if this is ok for use) the
default(with failure to find a valid capath result in an exception
being raised)
Martin v. Löwis mar...@v.loewis.de added the comment:
So for python3 is it possible to make attempting to use capath(some
common ones OR the openssl location capath if this is ok for use) the
default(with failure to find a valid capath result in an exception
being raised) ?
The default?
david db.pub.m...@gmail.com added the comment:
On 21 November 2010 20:50, Martin v. Löwis rep...@bugs.python.org wrote:
Martin v. Löwis mar...@v.loewis.de added the comment:
So for python3 is it possible to make attempting to use capath(some
common ones OR the openssl location capath if
Antoine Pitrou pit...@free.fr added the comment:
Having applications/scripts explicitly opt-in to a default CA
certificate list would be an option (then making those applications
break in installations where the default CA list is empty).
Errors should never pass silently.
IMHO it is
david db.pub.m...@gmail.com added the comment:
Fine.
So if not in the ssl module what about for urllib etc.?
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue10441
___
Antoine Pitrou pit...@free.fr added the comment:
Fine.
So if not in the ssl module what about for urllib etc.?
The same answer really... We can't change default settings without
breaking compatibility.
--
___
Python tracker rep...@bugs.python.org
Changes by Antoine Pitrou pit...@free.fr:
--
nosy: -db
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue10441
___
___
Python-bugs-list mailing list
david db.pub.m...@gmail.com added the comment:
So please close this bug.
Apparently making things secure by default is to much to ask.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue10441
Changes by david db.pub.m...@gmail.com:
--
resolution: - rejected
status: open - closed
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue10441
___
Changes by Antoine Pitrou pit...@free.fr:
--
resolution: rejected -
stage: needs patch -
status: closed - open
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue10441
___
Martin v. Löwis mar...@v.loewis.de added the comment:
Here is a patch that changes SSLContext into a context manager, allowing to
write code like
with ssl.SSLContext(ssl.PROTOCOL_SSLv23):
ssl.SSLContext.current().set_default_verify_path()
res =
Antoine Pitrou pit...@free.fr added the comment:
Martin,
You misunderstood. I was not proposing that scripts provide a CA
list, but that users might deploy a CA list into their Python
installation, which is then picked up in the same way as you are asking
for on Ubuntu.
Could you elaborate
david db.pub.m...@gmail.com added the comment:
On 21 November 2010 09:27, Antoine Pitrou rep...@bugs.python.org wrote:
Antoine Pitrou pit...@free.fr added the comment:
Martin,
You misunderstood. I was not proposing that scripts provide a CA
list, but that users might deploy a CA list into
Martin v. Löwis mar...@v.loewis.de added the comment:
Antoine,
I was proposing that the Windows installation should have a folder where
OpenSSL looks for certificates, and that users put trusted certificates into
that folder. These should be the ones that set_default_verify_paths will use.
Martin v. Löwis mar...@v.loewis.de added the comment:
db: there *is* no sane system ca path, or Python would have done that long
ago. On Windows, it may be possible to drop OpenSSL, and use the system
certificate store. However, that would be a major rewrite, and it may not be
possible to
Antoine Pitrou pit...@free.fr added the comment:
The best that could be done is to provide a configuration option (e.g.
global variable) that should be treated as a default value, and then
leave it to people distributing Python to fill out this variable in a
sensible way.
Actually, OpenSSL
Martin v. Löwis mar...@v.loewis.de added the comment:
The best that could be done is to provide a configuration option (e.g.
global variable) that should be treated as a default value, and then
leave it to people distributing Python to fill out this variable in a
sensible way.
Actually,
david db.pub.m...@gmail.com added the comment:
On 19 November 2010 03:18, Martin v. Löwis rep...@bugs.python.org wrote:
Martin v. Löwis mar...@v.loewis.de added the comment:
The best that could be done is to provide a configuration option (e.g.
global variable) that should be treated as a
Antoine Pitrou pit...@free.fr added the comment:
This may not be satisfying to users. For example, our Windows
distribution doesn't ship with any certicates (AFAIK); I have no
clue where exactly OpenSSL would be looking for them, either.
People worried about this problem probably would
david db.pub.m...@gmail.com added the comment:
On 19 November 2010 03:48, Antoine Pitrou rep...@bugs.python.org wrote:
Antoine Pitrou pit...@free.fr added the comment:
This may not be satisfying to users. For example, our Windows
distribution doesn't ship with any certicates (AFAIK); I
Martin v. Löwis mar...@v.loewis.de added the comment:
This may not be satisfying to users. For example, our Windows
distribution doesn't ship with any certicates (AFAIK); I have no
clue where exactly OpenSSL would be looking for them, either.
People worried about this problem probably would
david db.pub.m...@gmail.com added the comment:
On 19 November 2010 04:40, Martin v. Löwis rep...@bugs.python.org wrote:
Martin v. Löwis mar...@v.loewis.de added the comment:
This may not be satisfying to users. For example, our Windows
distribution doesn't ship with any certicates (AFAIK);
Changes by Éric Araujo mer...@netwok.org:
--
nosy: +eric.araujo
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue10441
___
___
Python-bugs-list
david db.pub.m...@gmail.com added the comment:
Sorry, I don't remember seeing the change-set /commit showing that is now on by
default. (for those modules).
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue10441
david db.pub.m...@gmail.com added the comment:
Are you referring to
http://code.python.org/hg/branches/py3k/rev/86f97255bfc8
where there is now
2.29 + .. warning::
2.30 + If neither *cafile* nor *capath* is specified, an HTTPS request
2.31 + will not do any
Antoine Pitrou pit...@free.fr added the comment:
Are you referring to
http://code.python.org/hg/branches/py3k/rev/86f97255bfc8
where there is now
2.29 + .. warning::
2.30 + If neither *cafile* nor *capath* is specified, an HTTPS
request
2.31 + will not do any
Antoine Pitrou pit...@free.fr added the comment:
Well, what are the usual paths for windows and linux?
Just try those(by default) and if this fails (no ca's paths work) then
raise an exception and have a parameter to disable this behaviour.
That's a possible resolution, but it needs a patch.
Antoine Pitrou pit...@free.fr added the comment:
Actually, it seems OpenSSL is often built with the paths to system
certificates, which can be enabled by an undocumented function. See issue10443.
--
___
Python tracker rep...@bugs.python.org
david db.pub.m...@gmail.com added the comment:
Interesting but you may want to ask the openssl developers about this first.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue10441
___
41 matches
Mail list logo