[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Thomas Leonard added the comment: Just to add a couple of data points to argue in favour of a secure-by-default behaviour: 0install.net: http://secunia.com/advisories/47935 (spoofing attack due to certificate names not being validated) Mozilla is recommending people avoid using Python's bui

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Changes by Éric Araujo : -- nosy: +eric.araujo ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.pytho

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Changes by Jesús Cea Avión : -- nosy: +jcea ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.o

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Antoine Pitrou added the comment: > > > > It's more of a missing feature than a security issue in itself, although > > the missing feature has to do with security. > > Still it would be nice to see in python 2.x at some point don't you think? Well, lots of things would be nice to see in python

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

david added the comment: On 11 November 2010 23:31, Antoine Pitrou wrote: > > Antoine Pitrou added the comment: > >> Should we escalate this issue to CVA for Python 2.x? > > It's more of a missing feature than a security issue in itself, although > the missing feature has to do with security.

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Antoine Pitrou added the comment: > Should we escalate this issue to CVA for Python 2.x? It's more of a missing feature than a security issue in itself, although the missing feature has to do with security. -- ___ Python tracker

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

anatoly techtonik added the comment: Should we escalate this issue to CVA for Python 2.x? -- nosy: +techtonik ___ Python tracker ___ _

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Mads Kiilerich added the comment: > So I know the current patch doesn't support IP addresses Not exactly. The committed patch do not consider IP addresses - especially not iPAddress entries in subjectAltName. But Python only distinguishes resolvable names from IP addresses at a very low level

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

david added the comment: So I know the current patch doesn't support IP addresses but I thought I would link to what mozilla considered a security problem(just for future reference): CVE-2010-3170: http://www.mozilla.org/security/announce/2010/mfsa2010-70.html "Security researcher Richard Moo

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Antoine Pitrou added the comment: Le vendredi 15 octobre 2010 à 22:51 +, Mads Kiilerich a écrit : > Mads Kiilerich added the comment: > > Can you confirm that the exception raised both on "too early" and "too > late" is something like "...SSL3_GET_SERVER_CERTIFICATE:certificate > verify fa

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Mads Kiilerich added the comment: Can you confirm that the exception raised both on "too early" and "too late" is something like "...SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"? (If so: It would be nice if a slightly more helpful message could be given. I don't know if that is poss

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Antoine Pitrou added the comment: I wanted to go forward with this and so I've committed the patch in r85321. If you're concerned about the lack of support for IP addresses, you can open a new issue (and even provide a patch!). Thank you. -- resolution: -> fixed stage: patch review -

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Mads Kiilerich added the comment: > Indeed. But, strictly speaking, there are no tests for IPs, so it > shouldn't be taken for granted that it works, even for commonName. > The rationale is that there isn't really any point in using an IP rather > a host name. I don't know if there is a point o

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Antoine Pitrou added the comment: Here is a new patch with doc updates and the corrections mentioned above. -- Added file: http://bugs.python.org/file19141/sslcheck2.patch ___ Python tracker ___

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Antoine Pitrou added the comment: > I don't know if there is a point or not, but some hosts are for some > reason intended to be connected to using IP address and their > certificates thus contains IP addresses. I think we should support that > too, and I find it a bit confusing to only have

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Antoine Pitrou added the comment: > From a Python user/programmers point of view it would be nice if > http://docs.python.org/library/ssl.html also clarified what > "validation" means (apparently that the cert chain all the way from > one of ca_certs is valid and with valid dates, except that CR

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Mads Kiilerich added the comment: I'm sorry to make the discussion longer ... >From a Python user/programmers point of view it would be nice if >http://docs.python.org/library/ssl.html also clarified what "validation" means >(apparently that the cert chain all the way from one of ca_certs is

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Antoine Pitrou added the comment: If nobody objects, I will commit this (with docs) soon. Then I will open a separate issue for the http.client / urllib.request integration, since the discussion is already quite long here. -- ___ Python tracker

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Devin Cook added the comment: > I'm also assuming RFC 2818 is in wider use than the id-checking draft; > am I wrong? Yeah, since RFC 2818 has been accepted since 2000 and the id-checking draft was started in 2009, I'd say it's a safe bet. I'm in no way authoritative though. -- __

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Antoine Pitrou added the comment: > I think it looks good except for the wildcard checking. According to > the latest draft of that TLS id-checking RFC, you aren't supposed to > allow the wildcard as part of a fragment. Of course this contradicts > RFC 2818. Well, since it is then an "error" (a

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Devin Cook added the comment: I think it looks good except for the wildcard checking. According to the latest draft of that TLS id-checking RFC, you aren't supposed to allow the wildcard as part of a fragment. Of course this contradicts RFC 2818. http://tools.ietf.org/html/draft-saintandre-tl

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Antoine Pitrou added the comment: Here is a patch against py3k. It adds a single ssl.match_hostname method, with rules from RFC 2818 (that is, tailored for HTTPS). Review welcome. -- keywords: +patch stage: -> patch review Added file: http://bugs.python.org/file19128/sslcheck.patch _

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Antoine Pitrou added the comment: Hello, > I added some extra verification to Mercurial > (http://www.selenic.com/hg/rev/f2937d6492c5). Feel free to use the > following under the Python license in Python or elsewhere. It could be > a separate method/function or it could integrated in wrap_socke

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Mads Kiilerich added the comment: I added some extra verification to Mercurial (http://www.selenic.com/hg/rev/f2937d6492c5). Feel free to use the following under the Python license in Python or elsewhere. It could be a separate method/function or it could integrated in wrap_socket and control

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

david added the comment: imho it would be nice to be 'secure by default' in say the next python stable releases... (or perhaps only 3.X ? ). -- ___ Python tracker ___ __

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Antoine Pitrou added the comment: > What would the approximate cost on that be, do you think? My > understanding was that the code was pretty much written given John > Nagle's patch and M2Crypto. To err on the safe side and account for integration work (unit tests, coding style, and use in http

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Antoine Pitrou added the comment: > > Correct me if I'm wrong, but the "well-maintained pyOpenSSL > > package" doesn't have the missing functionality (hostname > > checking in server certificates), either. > > I'm pretty sure it's just a wrapper around the openssl library, which > does not incl

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

geremy condra added the comment: On Wed, Sep 29, 2010 at 11:34 AM, Antoine Pitrou wrote: > > Antoine Pitrou added the comment: > >> Here is a letter that I just received, in my role as a developer of >> Tahoe-LAFS, from a concerned coder who doesn't know much about Python: >> >> > An FYI on Py

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Devin Cook added the comment: > Correct me if I'm wrong, but the "well-maintained pyOpenSSL > package" doesn't have the missing functionality (hostname > checking in server certificates), either. I'm pretty sure it's just a wrapper around the openssl library, which does not include it. That wa

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Antoine Pitrou added the comment: > Here is a letter that I just received, in my role as a developer of > Tahoe-LAFS, from a concerned coder who doesn't know much about Python: > > > An FYI on Python. > > > > I'm not sure how businesses handle this (I've always worked in > Windows > > shops),

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Changes by Ryan Tucker : -- nosy: +Ryan.Tucker ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.pytho

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Zooko O'Whielacronx added the comment: This appears to be a concern for some people. Maybe the builtin ssl module should be deprecated if there isn't a lot of manpower to maintain it and instead the well-maintained pyOpenSSL package should become the recommended tool? Here is a letter that I

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

david added the comment: Welcome to 2010. SSL shouldn't be difficult to use anymore or support in python applications. But yet, until the changes in http://bugs.python.org/issue9983 was fixed python devs were using modules without any warning of the security implications. pycurl works ... but

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Senthil Kumaran added the comment: Removed this message by mistake. Author ahasenack Date2007-12-11.21:11:53 Ups, typo in the script: cert = "verisign-inc-class-3-public-primary.pem" -- nosy: +orsenthil ___ Python tracker

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Changes by Senthil Kumaran : -- Removed message: http://bugs.python.org/msg58435 ___ Python tracker ___ ___ Python-bugs-list mailing li

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Changes by Antoine Pitrou : Removed file: http://bugs.python.org/file11463/unnamed ___ Python tracker ___ ___ Python-bugs-list mailing list Uns

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Changes by Antoine Pitrou : Removed file: http://bugs.python.org/file8941/unnamed ___ Python tracker ___ ___ Python-bugs-list mailing list Unsu

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Changes by Antoine Pitrou : Removed file: http://bugs.python.org/file8933/unnamed ___ Python tracker ___ ___ Python-bugs-list mailing list Unsu

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Changes by Devin Cook : -- nosy: +devin ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/m

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Changes by Justin Samuel : -- nosy: +jsamuel ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Changes by Giampaolo Rodola' : -- nosy: +giampaolo.rodola ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http:/

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Changes by geremy condra : -- nosy: +debatem1 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Antoine Pitrou added the comment: Reopening. I think it would be nice to provide the appropriate convenience function(s) as part of the ssl module, even if the user has to call them explicitly. -- assignee: janssen -> nosy: +pitrou resolution: rejected -> status: closed -> open vers

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Bill Janssen <[EMAIL PROTECTED]> added the comment: I think that, where it's appropriate, you can do that. Just don't put it in the SSL module. Bill On Wed, Sep 10, 2008 at 11:24 PM, Heikki Toivonen <[EMAIL PROTECTED]>wrote: > > Heikki Toivonen <[EMAIL PROTECTED]> added the comment: > > Ok, t

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Heikki Toivonen <[EMAIL PROTECTED]> added the comment: Ok, thank you for clarifications. Now I understand why the hostname checking isn't the solution that fits every problem. I am still not completely clear how you'd do the checking otherwise, for example to verify the service you are talking to

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Bill Janssen <[EMAIL PROTECTED]> added the comment: Sorry to be so brief there -- I was off on vacation. Verifying hostnames is a prescription that someone (well, OK, Eric Rescorla, who knows what he's talking about) put in the https IETF RFC (which, by the way, is only an informational RFC, not

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Heikki Toivonen <[EMAIL PROTECTED]> added the comment: Could you clarify your comment regarding hostname check being false security? Just about all SSL texts I have read say you must do that, and that is what your web browser and email client does to ensure it is talking to the right host, for e

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Bill Janssen <[EMAIL PROTECTED]> added the comment: checking hostnames is false security, not real security. On 8/20/08, Heikki Toivonen <[EMAIL PROTECTED]> wrote: > > Heikki Toivonen <[EMAIL PROTECTED]> added the comment: > > > I would think most people/applications want to know to which host

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Heikki Toivonen <[EMAIL PROTECTED]> added the comment: I would think most people/applications want to know to which host they are talking to. The reason I am advocating adding a default check to the stdlib is because this is IMO important for security, and it is easy to get it wrong (I don't thin

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Bill Janssen <[EMAIL PROTECTED]> added the comment: Nope. Hostname verification was never a good idea -- the "hostname" is just a vague notion, at best -- lots of hostnames can map to one or more IP addresses of the server. It's exposed to the application code, so if a client application wants

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Heikki Toivonen <[EMAIL PROTECTED]> added the comment: I would definitely recommend providing as strict as possible hostname verification in the stdlib, but provide application developers a way to override that. M2Crypto (and TLS Lite, from which I copied the approach to M2Crypto), provide a def

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Changes by vila: -- nosy: +vila __ Tracker <[EMAIL PROTECTED]> __ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailma

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Bill Janssen added the comment: The mechanism is there for direct use of the SSL module, yes. But the question is, what should indirect usage, like the httplib or urllib modules, do? If they are going to check hostnames on use of an https: URL, they need some way to pass a ca_certs file through

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Changes by Guido van Rossum: -- nosy: -gvanrossum __ Tracker <[EMAIL PROTECTED]> __ ___ Python-bugs-list mailing list Unsubscribe: http://mai

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Andreas Hasenack added the comment: > do it automatically. Unfortunately, that means that client-side certificate > verification has to be done (it's pointless to look at the data in > unverified certificates), and that means that the client software has to > have an appropriate collection of ro

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Bill Janssen added the comment: Yes, I think that's reasonable. And for pseudo-standards like https, which calls for this, the implementation in the standard library should attempt to do it automatically. Unfortunately, that means that client-side certificate verification has to be done (it's p

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Andreas Hasenack added the comment: At the least it should be made clear in the documentation that the hostname is not checked against the commonName nor the subjectAltName fields of the server certificate. And add some sample code to the documentation for doing a simple check. Something like thi

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Bill Janssen added the comment: Unfortunately, hostname matching is one of those ideas that seemed better when it was thought up than it actually proved to be in practice. I've had extensive experience with this, and have found it to almost always an application-specific decision. I thought abo

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Guido van Rossum added the comment: Bill, can you respond? -- assignee: -> janssen nosy: +gvanrossum, janssen __ Tracker <[EMAIL PROTECTED]> __ ___

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

Andreas Hasenack added the comment: Ups, typo in the script: cert = "verisign-inc-class-3-public-primary.pem" __ Tracker <[EMAIL PROTECTED]> __ ___ Pytho

[issue1589] New SSL module doesn't seem to verify hostname against commonName in certificate

New submission from Andreas Hasenack: (I hope I used the correct component for this report) http://pypi.python.org/pypi/ssl/ I used the client example shown at http://docs.python.org/dev/library/ssl.html#client-side-operation to connect to a bank site called www.realsecureweb.com.br at 200.208.