SSL/TLS certificate verification defaults

8 views
Skip to first unread message

Marshall Vandegrift

unread,
Feb 22, 2010, 4:24:24 PM2/22/10
to python crypto
Hi all,

I've started poking around trying to figure how to switch the SSL/TLS
default certificate verification mode to CERT_REQUIRED. It'll be a
bit more than a one-line patch, but most of that will just be a simple
matter of programming. The part which isn't is ye olde devil of
Windows support.

Digging through the Ruby HTTPS implementation led me to the
seemingly-undocumented OpenSSL function
X509_STORE_set_default_paths(). This function allows loading CA
certificates from default system paths, but only on Unix-like systems.
One of the Ruby devs has opened a ticket and submitted a patch on the
OpenSSL tracker to extend the default_paths system to support the
Windows CryptoAPI:

http://rt.openssl.org/index.html?q=2158

So there are two basic options:

- Just add support for Unix-like systems via set_default_paths() and
wait for OpenSSL to support Windows
- Add explicit support for Windows, possibly duplicating work done in
OpenSSL once/if they merge such support

Thoughts?

-Marshall

geremy condra

unread,
Feb 22, 2010, 9:02:52 PM2/22/10
to python...@googlegroups.com

Just to note, the python3.1 docs already bear the following warning
across the top:

"Note Some behavior may be platform dependent, since calls are made to
the operating system socket APIs. The installed version of OpenSSL may
also cause variations in behavior."

Geremy Condra

Justin Cappos

unread,
Feb 22, 2010, 10:07:27 PM2/22/10
to python...@googlegroups.com
If anyone wants to know the vagriaties of different operating system
socket implementations on Python, I can provide some insight (we've
been wrestling with this for Seattle). I would hope that any crypto
implementations make sane assumptions about socket semantics,
including multiple listens, disconnections, etc.

Thanks,
Justin

Justin Samuel

unread,
Feb 23, 2010, 10:24:13 AM2/23/10
to python...@googlegroups.com
On Mon, Feb 22, 2010 at 1:24 PM, Marshall Vandegrift <lla...@gmail.com> wrote:
> Digging through the Ruby HTTPS implementation led me to the
> seemingly-undocumented OpenSSL function
> X509_STORE_set_default_paths().  This function allows loading CA
> certificates from default system paths, but only on Unix-like systems.
> One of the Ruby devs has opened a ticket and submitted a patch on the
> OpenSSL tracker to extend the default_paths system to support the
> Windows CryptoAPI:
>
>    http://rt.openssl.org/index.html?q=2158
>
> So there are two basic options:
>
>  - Just add support for Unix-like systems via set_default_paths() and
>   wait for OpenSSL to support Windows
>  - Add explicit support for Windows, possibly duplicating work done in
>   OpenSSL once/if they merge such support
>
> Thoughts?

This seems right to me. Along with this, we should make sure that if
someone is really trying to specify only their own trusted certs, they
shouldn't accidentally be trusting whatever certs happen to be
installed on the particular system the code runs on. So, possibly
ssl.wrap_socket() grows a new argument for specifying whether to
include system certs and it defaults to True.

I could see some value in configure options for specifying a ca bundle
file or certs directory to be used instead of the system default. I'd
consider this low priority.

There are also python module changes that may be needed for usability
(especially of higher level modules like urllib/urllib2 where it's not
as easy as it should be to specify which certs should be used) when
changing cert_reqs to default to CERT_REQUIRED, but making the system
certs available will be wanted either way. If nobody else gets a
chance to do so first, I'll take a look and propose those later this
week/when time allows.

Justin

Reply all
Reply to author
Forward
0 new messages