[hcs-d] how to validate ssl certificates correctly with python?
zstone at gmail.com
Sat Jan 28 23:11:21 EST 2012
> Urllib2 is a pretty incomplete and awkward HTTP library. I would suggest Requests.
Thanks, Ted! I had checked out Requests, but it looked like it just
backports the match_hostname from Python 3.2, and I wasn't sure that
would check basicConstraints properly in certificate chains:
> A few people are trying to fix this with a "hitchhiker's guide to Python."
Thanks for sharing this as well; I hope it fills in over time.
> On Jan 28, 2012, at 10:50 PM, Zak Stone wrote:
>> Hello everyone,
>> I would like to allow a Python client to communicate securely via
>> HTTPS with a server I control that has a valid SSL certificate.
>> Unfortunately, it turns out that the relevant standard library
>> functions in Python 2.x do not attempt to validate a server's SSL
>> certificate _at all_, as you can see from the warnings in the
>> documentation below, which means that these functions are vulnerable
>> to man-in-the-middle attacks:
>> The folks at Stack Overflow suggest a variety of work-arounds,
>> including backporting the match_hostname function that was added to
>> the ssl module in Python 3.2:
>> More detailed information is available from the fellow who currently
>> maintains M2Crypto:
>> However, security is complicated, and I find the history of
>> catastrophic security failures caused by incorrect usage of TLS/SSL
>> sufficiently disturbing to seek expert advice. For example, it appears
>> that iOS allowed transparent man-in-the-middle decryption of encrypted
>> transmissions until last July:
>> This particular attack centered around Apple's failure to check the
>> "Basic Constraints" (or basicConstraints) fields in certificate
>> chains. This problem has surfaced before as well -- Moxie Marlinspike
>> seems to have found a similar vulnerability in Internet Explorer in
>> Unfortunately, it isn't obvious to me whether the use of
>> match_hostname or M2Crypto in Python will prevent this Basic
>> Constraints attack, and it is even more difficult to determine whether
>> the Python approaches to certificate validation referenced above cover
>> other known exploits.
>> Would anyone be so kind as to share the Right Way for a Python client
>> to communicate securely with a server over HTTPS?
>> Many thanks,
>> hcs-discuss mailing list
>> hcs-discuss at lists.hcs.harvard.edu
More information about the hcs-discuss