From: Antoine Pitrou on
On Mon, 14 Jun 2010 19:47:49 +0100
Nobody <nobody(a)nowhere.com> wrote:
> On Mon, 14 Jun 2010 10:43:02 -0700, John Nagle wrote:
>
> > The new SSL module in Python 2.6
>
> There isn't an SSL module in Python 2.6. There is a module named "ssl"
> which pretends to implement SSL, but in fact doesn't.

What do you mean by "doesn't"?
Can you point to an open bug report describing the issue?


From: geremy condra on
On Tue, Jun 15, 2010 at 1:27 PM, Antoine Pitrou <solipsis(a)pitrou.net> wrote:
> On Mon, 14 Jun 2010 19:47:49 +0100
> Nobody <nobody(a)nowhere.com> wrote:
>> On Mon, 14 Jun 2010 10:43:02 -0700, John Nagle wrote:
>>
>> >     The new SSL module in Python 2.6
>>
>> There isn't an SSL module in Python 2.6. There is a module named "ssl"
>> which pretends to implement SSL, but in fact doesn't.
>
> What do you mean by "doesn't"?
> Can you point to an open bug report describing the issue?

He's describing the lack of hostname checking, discussed here[0],
here[1], and in my pycon lightning talk last year, wherever those
are kept. My understanding is that it has led to vulnerabilities in
code deployed by Red Hat and several other vendors; if you need
to speak with them I can probably get the people involved in that
effort to come forward privately.

Both the lead for M2Crypto and the authors of zc.ssl have publicly
stated that this needs to be fixed.

Geremy Condra

[0] http://mail.python.org/pipermail/python-list/2010-April/1242166.html
[1] http://bugs.python.org/issue1589
From: Antoine Pitrou on

Hello,

> He's describing the lack of hostname checking, discussed here[0],
> here[1], and in my pycon lightning talk last year, wherever those
> are kept.

Ok, thank you.
I have tried to put some effort into the py3k ssl docs, so that security
issues get mentioned:
http://docs.python.org/dev/py3k/library/ssl.html#security-considerations
Any improvement or correction is welcome.

Also, following issue1589 (certificate hostname checking), I think it
would be useful at least to provide the necessary helper functions in
order to check certificate conformity, even if they aren't called
implicitly. I would encourage interested people to provide a patch for
the py3k ssl module, and will gladly review it.

Regards

Antoine.
From: geremy condra on
On Tue, Jun 15, 2010 at 1:57 PM, Antoine Pitrou <solipsis(a)pitrou.net> wrote:
>
> Hello,
>
>> He's describing the lack of hostname checking, discussed here[0],
>> here[1], and in my pycon lightning talk last year, wherever those
>> are kept.
>
> Ok, thank you.
> I have tried to put some effort into the py3k ssl docs, so that security
> issues get mentioned:
> http://docs.python.org/dev/py3k/library/ssl.html#security-considerations
> Any improvement or correction is welcome.

Could similar notifications be added to urllib, etc? That's where
people really get bitten badly by this.

> Also, following issue1589 (certificate hostname checking), I think it
> would be useful at least to provide the necessary helper functions in
> order to check certificate conformity, even if they aren't called
> implicitly. I would encourage interested people to provide a patch for
> the py3k ssl module, and will gladly review it.

I'm not sure what this fixes if it doesn't get used in the higher-level
modules, but I can ask if anybody is interested.

Geremy Condra
From: Antoine Pitrou on
On Tue, 15 Jun 2010 14:14:08 -0700
geremy condra <debatem1(a)gmail.com> wrote:
> >
> > Ok, thank you.
> > I have tried to put some effort into the py3k ssl docs, so that security
> > issues get mentioned:
> > http://docs.python.org/dev/py3k/library/ssl.html#security-considerations
> > Any improvement or correction is welcome.
>
> Could similar notifications be added to urllib, etc? That's where
> people really get bitten badly by this.

I suppose so, although I'm not responsible for these modules.

> > Also, following issue1589 (certificate hostname checking), I think it
> > would be useful at least to provide the necessary helper functions in
> > order to check certificate conformity, even if they aren't called
> > implicitly. I would encourage interested people to provide a patch for
> > the py3k ssl module, and will gladly review it.
>
> I'm not sure what this fixes if it doesn't get used in the higher-level
> modules, but I can ask if anybody is interested.

Actually it could be used, at least optionally, by the higher-level
modules (I'm not sure it can always be enabled by default, although
security-wise it would certainly be preferrable).

Regards

Antoine.