You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@thrift.apache.org by "Will Pierce (JIRA)" <ji...@apache.org> on 2011/03/20 00:36:30 UTC
[jira] Created: (THRIFT-1100) python TSSLSocket improvements,
including certificate validation
python TSSLSocket improvements, including certificate validation
----------------------------------------------------------------
Key: THRIFT-1100
URL: https://issues.apache.org/jira/browse/THRIFT-1100
Project: Thrift
Issue Type: Improvement
Components: Python - Library
Reporter: Will Pierce
Assignee: Will Pierce
The python TSSLSocket.py module has TSSLSocket and TSSLServerSocket for outbound and inbound SSL connection wrapping.
This ticket is for a patch that makes several improvements:
* adds Apache license at top of file
* for outbound sockets, SSL certificate validation is now performed by default
** but may be disabled with validate=False in the constructor
** instructs python's ssl library to perform CERT_REQUIRED validation of the certificate
** also checks to make sure the certificate's {{commonName}} matches the hostname we tried to connect to
** raises TTransportExceptions when the certificate fails validation - tested using google's www.gmail.com (doesnt match) versus mail.google.com (matched cert commonName)
** puts a copy of the peer certificate in self.peercert, regardless of validation status
** sets a public boolean self.is_valid member variable to indicate whether the certificate was validated or not
* adds a configurable server certificate file, as a constructor argument {{certfile}}
** allows runtime changing of server cert with setCertfile() on the server, that changes the certfile used in subsequent ssl_wrap() calls
** exposes a class-level variable SSL_PROTOCOL to let the user select ssl.PROTOCOL_TLSv1 or other versions of SSL, instead of hard-coding TLSv1. Defaults to TLSv1 though.
* removes unnecessary sys.path modification
* adds lots of docstrings
In a somewhat unrelated change, this patch changes two lines in TSocket.py where self.handle is compared to None using {{!=}} instead of: {{is not}}.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (THRIFT-1100) python TSSLSocket improvements,
including certificate validation
Posted by "Will Pierce (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-1100?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Will Pierce updated THRIFT-1100:
--------------------------------
Attachment: THRIFT-1100.python_ssl_enhance_and_cert_validate.patch
patch attached:
adds lots of code to lib/py/src/transport/TSSLSocket.py and touches 2 lines in lib/py/src/transport/TSocket.py
> python TSSLSocket improvements, including certificate validation
> ----------------------------------------------------------------
>
> Key: THRIFT-1100
> URL: https://issues.apache.org/jira/browse/THRIFT-1100
> Project: Thrift
> Issue Type: Improvement
> Components: Python - Library
> Reporter: Will Pierce
> Assignee: Will Pierce
> Attachments: THRIFT-1100.python_ssl_enhance_and_cert_validate.patch
>
>
> The python TSSLSocket.py module has TSSLSocket and TSSLServerSocket for outbound and inbound SSL connection wrapping.
> This ticket is for a patch that makes several improvements:
> * adds Apache license at top of file
> * for outbound sockets, SSL certificate validation is now performed by default
> ** but may be disabled with validate=False in the constructor
> ** instructs python's ssl library to perform CERT_REQUIRED validation of the certificate
> ** also checks to make sure the certificate's {{commonName}} matches the hostname we tried to connect to
> ** raises TTransportExceptions when the certificate fails validation - tested using google's www.gmail.com (doesnt match) versus mail.google.com (matched cert commonName)
> ** puts a copy of the peer certificate in self.peercert, regardless of validation status
> ** sets a public boolean self.is_valid member variable to indicate whether the certificate was validated or not
> * adds a configurable server certificate file, as a constructor argument {{certfile}}
> ** allows runtime changing of server cert with setCertfile() on the server, that changes the certfile used in subsequent ssl_wrap() calls
> ** exposes a class-level variable SSL_PROTOCOL to let the user select ssl.PROTOCOL_TLSv1 or other versions of SSL, instead of hard-coding TLSv1. Defaults to TLSv1 though.
> * removes unnecessary sys.path modification
> * adds lots of docstrings
> In a somewhat unrelated change, this patch changes two lines in TSocket.py where self.handle is compared to None using {{!=}} instead of: {{is not}}.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Closed] (THRIFT-1100) python TSSLSocket improvements,
including certificate validation
Posted by "Bryan Duxbury (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-1100?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Bryan Duxbury closed THRIFT-1100.
---------------------------------
Resolution: Fixed
Fix Version/s: 0.7
I just committed this patch. Thanks Will!
> python TSSLSocket improvements, including certificate validation
> ----------------------------------------------------------------
>
> Key: THRIFT-1100
> URL: https://issues.apache.org/jira/browse/THRIFT-1100
> Project: Thrift
> Issue Type: Improvement
> Components: Python - Library
> Reporter: Will Pierce
> Assignee: Will Pierce
> Fix For: 0.7
>
> Attachments: THRIFT-1100.python_ssl_enhance_and_cert_validate.patch
>
>
> The python TSSLSocket.py module has TSSLSocket and TSSLServerSocket for outbound and inbound SSL connection wrapping.
> This ticket is for a patch that makes several improvements:
> * adds Apache license at top of file
> * for outbound sockets, SSL certificate validation is now performed by default
> ** but may be disabled with validate=False in the constructor
> ** instructs python's ssl library to perform CERT_REQUIRED validation of the certificate
> ** also checks to make sure the certificate's {{commonName}} matches the hostname we tried to connect to
> ** raises TTransportExceptions when the certificate fails validation - tested using google's www.gmail.com (doesnt match) versus mail.google.com (matched cert commonName)
> ** puts a copy of the peer certificate in self.peercert, regardless of validation status
> ** sets a public boolean self.is_valid member variable to indicate whether the certificate was validated or not
> * adds a configurable server certificate file, as a constructor argument {{certfile}}
> ** allows runtime changing of server cert with setCertfile() on the server, that changes the certfile used in subsequent ssl_wrap() calls
> ** exposes a class-level variable SSL_PROTOCOL to let the user select ssl.PROTOCOL_TLSv1 or other versions of SSL, instead of hard-coding TLSv1. Defaults to TLSv1 though.
> * removes unnecessary sys.path modification
> * adds lots of docstrings
> In a somewhat unrelated change, this patch changes two lines in TSocket.py where self.handle is compared to None using {{!=}} instead of: {{is not}}.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira