New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide access to the validated certificate chain in ssl module #69715
Comments
I’m currently working on adding support for HPKP to the Requests and urllib3 modules. HPKP (HTTP Public Key Pinning), specified in RFC 7469, is an extension to HTTP that allows a web server to specify a whitelist of public keys that are valid for TLS certificates on that domain. This prevents a rogue certificate authority from issuing a certificate that would be trusted by a browser and would allow a man-in-the-middle attack on a domain (as happened to Google in 20130). Right now, the draft version of the support I have will only work when you use PyOpenSSL for your TLS needs, not the standard library. This is because to get HPKP to work I need access to the validated certificate chain: that is, the certificate chain that OpenSSL has built and validated for the TLS connection. I also need to be able to work with those certificates in order to extract their public keys. The standard library’s ssl module does not expose any of this functionality. To get this to work with the standard library, I would require the following things from the standard library:
The motivation for making this available in the standard library would be pip. Right now python.org and all its subdomains (including pypi.python.org) are HPKP-enabled. Making this support available in the standard library would ensure that all pip installations are safe from man-in-the-middle attacks on its packaging infrastructure. Without it, a number of third-party packages would be required to add this security. In particular, pip could distribute a HPKP preload value for pypi.python.org, which would ensure that pip is truly invulnerable to MITM TLS attacks via malicious attackers coercing a CA to provide TLS certificates for *.python.org. I’m happy to do the work required to provide this functionality, but I’d only like to start work if people believe there’s a likelihood of getting it merged. |
Very nice idea. But no developer/maintainer seems to have until now, so I'll just like to ask whether there are any news regarding this issue. |
Oops, forgot a word: |
If there's no reply, that would be a no :) So, pinging the issue after a month as you just did is appropriate, let's see if one of the openssl experts replies. On the other hand, how is this different from bpo-24107, where Crys did reply? |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: