[PATCH] ssl: ensure the cert is parsable with a dict to check the hostname

Sebastian Spaeth Sebastian at SSpaeth.de
Tue Jan 18 10:43:50 GMT 2011


On Mon, 17 Jan 2011 20:41:48 +0100, Johannes Stezenbach <js at sig21.net> wrote:
> On Mon, Jan 17, 2011 at 07:32:45PM +0100, Nicolas Sebrecht wrote:
> > The SSL library gives choice between DER-encoded/binary data and a dict format.
> > Explicitly ask for a dict to parse it.
> > 
> > http://docs.python.org/library/ssl.html?highlight=getpeercert#ssl.SSLSocket.getpeercert
> 
> The documentation says binary_form=False is default.  It also says:
> 
> "If the certificate was not validated, the dict is empty."
> ...
> "if CERT_NONE was used to establish the connection, the certificate,
> if present, will not have been validated."

Right, and this is what had happened. For those without a sslcacertfile
setting (the default) but using SSL, we used CERT_NONE and got an empty
dict back. But then we tried to do hostname checking nonetheless, and of
course it would complain that it did not receive a certificate.

So the patch I just sent, does away with the wrong host name checking
and should be the right thing.

This patch does not offer relaxed/optional host name checking yet, it
just fixes the buggy code.

Sebastian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/offlineimap-project/attachments/20110118/be86cbc2/attachment-0001.sig>


More information about the OfflineIMAP-project mailing list