Add del_extension needed by Zorp #246
Conversation
Balabit Zorp application level firewall relies on the del_extension function to remove attributes like CRL pathes from the mimicked certificates when doing man-in-the-middle traffic filtering. Also needs the ffi lib (python-cryptograpy at hazmat/bindings/openssl/x509.py) to have the definition of: X509_EXTENSION *X509_delete_ext(X509 *, int);
1 similar comment
There was a problem hiding this comment.
This will leak memory. It needs to use X509_EXTENSION_free in conjunction with ffi.gc. Take a look at the method right above this for an example.
There was a problem hiding this comment.
Ah, really! Thanks for pointing that out.
|
This also needs unit tests. Thanks for your contribution so far! |
|
First of all, please accept my sincere apologies for this PR not moving along as we’d like to. I’ve tried to come up with a long-term solution to the general x509 problem domain and would also welcome your feedback to this thread: https://mail.python.org/pipermail/cryptography-dev/2015-December/000539.html (please note that there’s already responses: https://mail.python.org/pipermail/cryptography-dev/2015-December/thread.html https://mail.python.org/pipermail/cryptography-dev/2016-January/thread.html ). I really hope this could be a way to loosen the guardian knot that the pyOpenSSL’s x509 layer currently presents to us maintainers and lightens the frustrations for contributors like you. |
|
Closing due to lack of activity. |
4 participants
Balabit Zorp application level firewall relies on the del_extension function to remove attributes like CRL pathes from the mimicked certificates when doing man-in-the-middle traffic filtering.
Also needs the ffi lib (python-cryptograpy at hazmat/bindings/openssl/x509.py) to have the definition of: