SSL_set_verify_depth not exposed by the ssl module

[gbremer]

BPO	25115
Nosy	@vstinner, @tiran
Files	verify_depth.patch: Patch for 2.7 verify_depth-3.5.patch: Patch for 3.5

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = 'https://github.com/tiran'
closed_at = <Date 2018-02-25.20:28:07.355>
created_at = <Date 2015-09-15.01:31:16.622>
labels = ['3.7', 'expert-SSL', 'type-feature', 'library']
title = 'SSL_set_verify_depth not exposed by the ssl module'
updated_at = <Date 2018-02-25.20:28:07.354>
user = 'https://bugs.python.org/gbremer'

bugs.python.org fields:

activity = <Date 2018-02-25.20:28:07.354>
actor = 'christian.heimes'
assignee = 'christian.heimes'
closed = True
closed_date = <Date 2018-02-25.20:28:07.355>
closer = 'christian.heimes'
components = ['Library (Lib)', 'SSL']
creation = <Date 2015-09-15.01:31:16.622>
creator = 'gbremer'
dependencies = []
files = ['40471', '40483']
hgrepos = []
issue_num = 25115
keywords = ['patch']
message_count = 10.0
messages = ['250718', '250741', '250782', '250842', '301478', '301479', '301838', '301972', '301975', '312854']
nosy_count = 4.0
nosy_names = ['vstinner', 'christian.heimes', 'gbremer', 'Alex Gaynor']
pr_nums = []
priority = 'normal'
resolution = 'rejected'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'enhancement'
url = 'https://bugs.python.org/issue25115'
versions = ['Python 3.7']

[gbremer]

The SSL_set_verify_depth OpenSSL method is not currently exposed by the ssl module. The context object would seem to be the proper place for it as an instance method.

[vstinner]

+ if (depth < 0 || depth > 100) {

Why 100 and not 10 or 1000?

SSL_CTX_set_verify_depth() is unable to check the depth?

The patch lacks unit tests and documentation.

The patch is for Python 2.7, it would be better to write a patch for the default branch (future Python 3.6).

[gbremer]

I had thought that I had found documentation that the max depth is 100 and anything higher is ignored -- and as I read that back to me, I believe I read an example passage and interpreted it incorrectly. I'll remove that.

We primarily use Python 2.7, so I started there. I'll submit another patch with changes on the 3.5 branch and add tests.

[gbremer]

Attached is a patch for the 3.5 branch. The test is minimal -- we are relying on the underlying OpenSSL library and its context to manage the data. I have removed the data validation from the set function -- OpenSSL seems happy to accept negative numbers for depth, even if that is a non-sensical value. I have started on the documentation, and can do a more comprehensive job if the code section is good or mostly good. I'll do the same for the 2.7 patch.

[tiran]

The patch looks fairly simple, but what is your use case? I don't like to clobber the SSLContext with additional features. I have never been in a situation that required me to change the verify depths for chain building. Why do you want to restrict or enlarge the verify depths? OpenSSL's default verify depths is sensible.

[AlexGaynor]

+1 on making sure we have a concrete use case before expanding the API

[gbremer]

The use case is for an internal PKI implementation where verification should be, needs to be limited to certificates signed by the PKI CA and no higher to, say, a larger realm which would not be appropriate.

[tiran]

Grant,

I'm not sure I follow you. Do I understand correctly that you want to call SSL_CTX_set_verify_depth(ctx, 1), in order to enforce that a peer cert is directly signed by your CA?

That doesn't sound like a good use of SSL_CTX_set_verify_depth(), because it only works for a simple case without an intermediate CA. Most real-world cases have one or more intermediate CAs.

[AlexGaynor]

For the use case of "I want to trust this CA, but I don't want to trust any of it's sub CAs" I think there's a simpler solution than expanding our API:

Create your own cross-sign of the root you want, and add a pathLenConstraint: 0 to the basicConstraints extension.

By create a cross-sign, I mean a new certificate with the same subject/SPKI/SKI/other-extensions, but instead of being self-signed, sign it under some random private key you throw away. And then use that as your trust root, instead of the original certificate.

This should work fine for validation.

[tiran]

Both Alex and I agree that verify depth is not the right solution to solve your problem. I'd rather not add more APIs unless they are useful for general audience. OpenSSL has a good default for verify depth.