A grump about the socket module's SSL support
It is nice that Python's socket module has simple SSL support (although it has some limitations). My grump is that it doesn't give you any good way of checking the identity of the server's certificate, which is especially annoying as the SSL code doesn't do any certificate verification.
(This matters to me because I have recently become quite interested in being able to verify machines by checking that they have a specific SSL certificate.)
What SSL objects have is
give you the text form of the 'distinguished name' for the
certificate authority (if any) and the server certificate. In
practice, these are useless for reliably identifying a specific
server (in part because there are significant ambiguities in the
text versions of distinguished names, see eg this bug report).
What you actually need is information about the server certificate
itself. The best thing would be a full copy of the server certificate
as a binary object (since then I can just do whatever I want with it,
including comparing it to my existing copy), but I'd be reasonably happy
with a hash or other signature of the server's certificate. (And OpenSSL
already has functions that will give you the certificate; I believe it
would take two OpenSSL calls to pull the certificate out as a memory
SSL_get_peer_certificate followed by an appropriate
But I suppose that I shouldn't be too surprised. Almost nothing seems to offer an option to accept only a specific server certificate; at best you can insist that the certificate you get is signed by a specific CA.