python/SocketSSLGrump written at 14:01:28; Add Comment
A grump about the socket module's SSL support
It is nice that Python's socket module has simple SSL support (although it has some limitations). My grump is that it doesn't give you any good way of checking the identity of the server's certificate, which is especially annoying as the SSL code doesn't do any certificate verification.
(This matters to me because I have recently become quite interested in being able to verify machines by checking that they have a specific SSL certificate.)
What SSL objects have is
What you actually need is information about the server certificate
itself. The best thing would be a full copy of the server certificate
as a binary object (since then I can just do whatever I want with it,
including comparing it to my existing copy), but I'd be reasonably happy
with a hash or other signature of the server's certificate. (And OpenSSL
already has functions that will give you the certificate; I believe it
would take two OpenSSL calls to pull the certificate out as a memory
But I suppose that I shouldn't be too surprised. Almost nothing seems to offer an option to accept only a specific server certificate; at best you can insist that the certificate you get is signed by a specific CA.
* * *
Atom feeds are available; see the bottom of most pages.