-
-
Notifications
You must be signed in to change notification settings - Fork 29.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make SSLContext.set_default_verify_paths() work on Windows #63491
Comments
See discussion on https://groups.google.com/forum/#!topic/python-tulip/c_lqdFjPEbE . If you set sslcontext.verify_mode = ssl.CERT_REQUIRED and call sslcontext.set_default_verify_paths(), the stdlib ought to have enough smarts to use the system root certificates. I understand this is difficult, as the location of the root certificates may vary between Windows versions or installations. But if we leave this up to the app developer they are much more likely to disable certificate verification by setting verify_mode to CERT_NONE than to provide secure root certs (or do even less secure things, like using plain HTTP :-). |
Maybe once this is addressed we could also change urllib.request.urlopen() to default to cadefault=True? |
I don't think it's ok to change the default and break compatibility. Passing True manually is easy enough. |
Why is this not a security patch? Because it's not a "vulnerability" in the narrow technical sense? I expect that it will greatly increase the actual practical security, by making it easier to do the right thing. |
http://www.python.org/dev/peps/pep-0453/#bundling-ca-certificates-with-cpython proposes that ensurepip comes with a default CA cert bundle, too. I see two issues with the proposal:
A while ago I started a PEP about the topic but it's not done yet. https://bitbucket.org/tiran/peps/src/tip/pep-9999.txt |
IMO it's not a vulnerability. It's not a security hole in Python: the I would also like to point out Python isn't a Web browser: its use cases |
@christian: What is holding up those patches? I don't believe we should be @antoine: I still claim that a flag that defaults to no security is a On Sat, Oct 19, 2013 at 4:53 AM, Antoine Pitrou <report@bugs.python.org>wrote:
|
Am 19.10.2013 18:02, schrieb Guido van Rossum:
The usual issues: lack of time and too much to do.
It would be nice to add a feature to the SSL module that behaves like Christian |
If we were introducing urllib right now, I agree it would be better to
It's different because the server isn't inaccessible. Its HTTPS service (besides, an expired certificate is not a "misconfiguration"; it worked Again, I think it may be reasonable to change in 3.4, but not in bugfix By the way, I seem to remember even svn.python.org used a CACert-emitted |
So you agree that we should change the urllib default in 3.4? I'm all for Tools like svn and hg have extensive configurations for this purpose, and These days, I wouldn't trust a site that lets its certificate expire with On Sat, Oct 19, 2013 at 9:22 AM, Antoine Pitrou <report@bugs.python.org>wrote:
|
It is not about svn and hg, it was just an example that even in the |
But do you agree that the urllib default should be changed? |
Well, I'm fine for 3.4, even though I'm not particularly |
I fear it's a bit too late in the release cycle to get it right. Feature freeze is in about a month and this is a major change. The set_default_verify_paths() works only on some Unix platforms when OpenSSL configured with the distribution-specific paths to CAfile or CApath. A user installation of OpenSSL will most probably not work correctly. And there is Mac OS X ... Apple has deprecated OpenSSL and doesn't provide certificates as files. Apple's build of OpenSSL is patched and re-uses the keychain API. My Windows patch only offers certificates that already exist in Windows' cert stores. IE can trigger background downloads of yet unknown IMHO we should add root CA certs for every purpose with Python and implement a way to replace the shipped certs with update packages. |
No, please let's not get in the business of shipping certs. Please not. Trusting only certs already on the system sounds fine. Reading certs from memory sounds like a good start no matter whether we The next step should be fixing set_default_verify_paths() for Windows (at On OS X it becomes a priority once the default build no longers use the |
Can somebody step in for bpo-16487 please? For my stuff I just need to load DER as bytes and maybe PEM as str. |
The patch implements a new method SSLContext.load_default_certs(). A new method is a required because set_default_verify_paths() doesn't have a way to specify a purpose. Every cert store allows the user to specify the purpose of a certificate (e.g. suitable for every purpose or just for serverAuth and clientAuth). The feature is supported by NSS certdata.txt, Windows API and Apple's crypto API. The patch is rather simple and uses features implemented in issues bpo-17134 Use Windows' certificate store for CA certs |
Can you also add a patch to asyncio (I suppose to the code where it calls |
I have slightly different plans to make it even easier, bpo-19689 |
So do you need anything on *this* issue? (And are you asking me to review/approve the other issue? I haven't kept |
New patch with enum (for Antoine), tests and documentation. |
New changeset dfd33140a2b5 by Christian Heimes in branch 'default': |
New changeset 35a5284d5388 by R David Murray in branch 'default': |
I think we can close this bug for good. |
Great! Thank you! |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: