ProxHTTPSProxy, a Proxomitron SSL Helper Program

[JJoe]

Have been wondering exactly how Python/ProxHTTPSProxy handles ssl.

After very little research, I have found http://mail.python.org/pipermail/python-...42166.html from Apr 2010.

Quote:I've found what looks like a security hole. The "ssl" module will validate the certificate chain, but it doesn't check that the certificate is valid for the domain.

Quote:The SSL module doesn't seem to let you read all the cert extensions,

Quote:Without host name checking, you lose all "man in the middle" protection in SSL.

Quote:All major browsers make this check. Most Python users will expect the SSL module to do the checks a browser does. If the user went to the trouble to provide a certificate authority file, and specified CERT_REQUIRED, they presumably want their connections fully validated.

and then

http://stackoverflow.com/questions/10872...ith-python from July-Dec 2009.

Quote:Python by default just accepts and uses SSL certificates when using HTTPS, so even if a certificate is invalid, Python libraries such as urllib2 and Twisted will just happily use the certificate.

Quote:Unfortunately, neither Python nor Twisted comes with a the pile of CA certificates required to actually do HTTPS validation, nor the HTTPS validation logic. Due to a limitation in PyOpenSSL, you can't do it completely correctly just yet, but thanks to the fact that almost all certificates include a subject commonName, you can get close enough.

Does anybody know if any of these complaints are not current and valid?

Should developers be interested in the solution that was offered in the stackoverflow thread on Dec 17 '09 at 12:48?

Quote:PycURL does this beautifully.