[PATCH] ssl: ensure the cert is parsable with a dict to check the hostname
Sebastian Spaeth
Sebastian at SSpaeth.de
Tue Jan 18 10:43:50 UTC 2011
On Mon, 17 Jan 2011 20:41:48 +0100, Johannes Stezenbach <js at sig21.net> wrote:
> On Mon, Jan 17, 2011 at 07:32:45PM +0100, Nicolas Sebrecht wrote:
> > The SSL library gives choice between DER-encoded/binary data and a dict format.
> > Explicitly ask for a dict to parse it.
> >
> > http://docs.python.org/library/ssl.html?highlight=getpeercert#ssl.SSLSocket.getpeercert
>
> The documentation says binary_form=False is default. It also says:
>
> "If the certificate was not validated, the dict is empty."
> ...
> "if CERT_NONE was used to establish the connection, the certificate,
> if present, will not have been validated."
Right, and this is what had happened. For those without a sslcacertfile
setting (the default) but using SSL, we used CERT_NONE and got an empty
dict back. But then we tried to do hostname checking nonetheless, and of
course it would complain that it did not receive a certificate.
So the patch I just sent, does away with the wrong host name checking
and should be the right thing.
This patch does not offer relaxed/optional host name checking yet, it
just fixes the buggy code.
Sebastian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/offlineimap-project/attachments/20110118/be86cbc2/attachment.pgp>
More information about the OfflineIMAP-project
mailing list