User: Password:
|
|
Subscribe / Log in / New account

Python, SSL/TLS certificates and default validation

Python, SSL/TLS certificates and default validation

Posted Jan 30, 2014 10:00 UTC (Thu) by DG (subscriber, #16978)
Parent article: Python, SSL/TLS certificates and default validation

PHP appears to have only just moved to performing peer certificate checks by default -

See : https://wiki.php.net/rfc/tls-peer-verification

And : https://twitter.com/rdlowrey/status/428239825347424257

"#php just got more secure :) I merged the implementation for the TLS Peer Verification RFC: https://github.com/php/php-src/commit/7a90254231eb419d2d7... … More TLS++ on the way. "


(Log in to post comments)

Python, SSL/TLS certificates and default validation

Posted Jan 30, 2014 11:31 UTC (Thu) by Richard_J_Neill (subscriber, #23093) [Link]

Surely a bare minimum would be:
* always check the cert
* if (fail){ print a warning to stderr }
* continue anyway.

That way, at least people would know there's a problem, even if we don't break backward compatibility.

Python, SSL/TLS certificates and default validation

Posted Jan 31, 2014 6:06 UTC (Fri) by noxxi (subscriber, #4994) [Link]

> "..print a warning to stderr...continue anyway.."

One should hope, that this helps, but experiences from making the Perl module IO::Socket::SSL move away from insecure defaults (see another comment here) shows, that even after 3 years printing a fat warning covering multiple lines and then finally making verification the default, there were still lots of people who were surprised by the new default and did not care all the time before.
It's just too easy to ignore a warning.

Python, SSL/TLS certificates and default validation

Posted Jan 31, 2014 23:08 UTC (Fri) by hkario (subscriber, #94864) [Link]

Maybe it should not be a warning, but a "set environment variable <modulename>SSL to 'I_want_my_connections_as_robust_as_wet_paper_napkin' if you want this program to run or complain to application author to fix it" message that just aborts applications.

Also, it's dead scary that we have such discussions in the first place. After Snowden revelations I don't have the appropriate words to describe it.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds