== A grump about the socket module's SSL support

It is nice that Python's [[socket module
http://www.python.org/doc/current/lib/module-socket.html]]
has simple SSL support (although it has [[some limitations
SocketModuleIrritations]]). My grump is that it doesn't give
you any good way of checking the identity of the server's
certificate, which is especially annoying as the SSL code
doesn't do any certificate verification.

(This matters to me because I have recently become quite
interested in being able to verify machines by checking
that they have a specific SSL certificate.)

What SSL objects have is ((.issuer())) and ((.server())), which
give you the text form of the 'distinguished name' for the
certificate authority (if any) and the server certificate. In
practice, these are useless for reliably identifying a specific
server (in part because there are significant ambiguities in the
text versions of distinguished names, see eg [[this bug report
http://mail.python.org/pipermail/python-bugs-list/2006-October/035836.html]]).

What you actually need is information about the server certificate
itself. The best thing would be a full copy of the server certificate
as a binary object (since then I can just do whatever I want with it,
including comparing it to my existing copy), but I'd be reasonably happy
with a hash or other signature of the server's certificate. (And OpenSSL
already has functions that will give you the certificate; I believe it
would take two OpenSSL calls to pull the certificate out as a memory
blob, namely ((SSL_get_peer_certificate)) followed by an appropriate
((i2d_X509)) invocation.)

But I suppose that I shouldn't be too surprised. Almost nothing seems to
offer an option to accept only a specific server certificate; at best
you can insist that the certificate you get is signed by a specific CA.