Movatterモバイル変換

Issue22417

➜

This issue trackerhas been migrated toGitHub, and is currentlyread-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/66607

classification

Title:	PEP 476: verify HTTPS certificates by default
Type:	enhancement	Stage:
Components:		Versions:	Python 3.4, Python 3.5, Python 2.7

process

Status:	closed	Resolution:	fixed
Dependencies:	22366	Superseder:
Assigned To:	alex	Nosy List:	Arfrever, alex, benjamin.peterson, christian.heimes, clopez, dstufft, jcea, jwilk, koobs, larry, ncoghlan, orsenthil, python-dev, raulcd
Priority:	deferred blocker	Keywords:	needs review, patch

Created on2014-09-15 12:34 byncoghlan, last changed2022-04-11 14:58 byadmin. This issue is nowclosed.

Files
File name	Uploaded	Description	Edit
pep476_minimal_implementation.diff	ncoghlan,2014-09-15 12:34	Minimal changes to verify HTTPS by default	review
issue22417.diff	alex,2014-10-13 17:27		review
issue22417.diff	alex,2014-10-30 19:00		review
issue22417.diff	alex,2014-10-31 01:32		review
issue22417.diff	alex,2014-11-01 04:18		review
issue22417.diff	alex,2014-11-02 18:13		review
issue22417.diff	alex,2014-11-03 15:28		review
issue22417.diff	alex,2014-11-03 17:50		review
koobs-freebsd9.python3x-build2357.log	koobs,2014-11-13 23:20
issue22417.diff	alex,2014-11-23 23:30

Messages (18)
msg226912 -(view)	Author: Alyssa Coghlan (ncoghlan)*	Date: 2014-09-15 12:34
Attached minimal patch updates http.client.HTTPSConnection to validate certs by default and adjusts test.test_httplib accordingly.It doesn't currently include any docs changes, or changes to urllib.The process wide "revert to the old behaviour" hook is to monkeypatch the ssl module: ssl._create_default_https_context = ssl._create_unverified_contextTo monkeypatch the stdlib to validate everything (this one isn't new, just noting it for the record): ssl._create_stdlib_context = ssl.create_default_context
msg227093 -(view)	Author: Alyssa Coghlan (ncoghlan)*	Date: 2014-09-19 13:38
Currently marking as a deferred blocker, as Alex wasn't sure he'd be able to getPEP 476 fully updated in time for 3.4.2rc1, and was willing to accept waiting for 2.7.9 and 3.4.3 rather than delaying 3.4.2 any further.However, that was before Senthil accepted the patch in 22366 for 3.5, which means we're at "feature complete" for the proposed changes.There's still theissue 22366 backport patch, PEP update, docs updates and What's New updates to go, so assigning to Alex to decide if he wants to work with Larry to get this ready to go for 3.4.2 (noting that the PEP still needs the final tick of approval from Guido after being updated to reflect the proposed implementation).Otherwise we can get it ready for 2.7.9 with the other SSL changes, and it will appear in the 3.4.3 maintenance release, rather than 3.4.2.(Note that I'm busy most of this weekend, so +1 from me in advance if you decide to go ahead with getting it into 3.4.2)
msg229255 -(view)	Author: Alex Gaynor (alex)*	Date: 2014-10-13 17:27
Patch with the implementation, and initial work on documentation. Needs review please, I suspect we need more docs in more places. Feedback please!
msg230288 -(view)	Author: Alex Gaynor (alex)*	Date: 2014-10-30 19:00
Patch now makes more precise assertions about the type of error that's occurring.
msg230317 -(view)	Author: Alex Gaynor (alex)*	Date: 2014-10-31 01:32
Updates to teh docs based on teh feedback from Antoine.
msg230428 -(view)	Author: Alex Gaynor (alex)*	Date: 2014-11-01 04:18
New version of the patch based on feedback from benjamin, should make it easier to do the 3.4 branch stuff.
msg230512 -(view)	Author: Alex Gaynor (alex)*	Date: 2014-11-02 18:13
New patch uses self-signed.pythontest.net, instead of svn.python.org. svn.python.org is signed by CACert, which is in the root on some machines.
msg230541 -(view)	Author: Benjamin Peterson (benjamin.peterson)*	Date: 2014-11-03 15:21
% ./pythonLib/test/regrtest.py -v test_urllib2_localnet== CPython 3.4.2+ (3.4:7be6ef737aaf+, Nov 3 2014, 10:03:11) [GCC 4.8.3]==Linux-3.16.5-gentoo-x86_64-Intel-R-_Core-TM-_i7-2860QM_CPU_@_2.50GHz-with-gentoo-2.2 little-endian== hash algorithm: siphash24 64bit== /home/benjamin/dev/python/3.4/build/test_python_28724Testing with flags: sys.flags(debug=0, inspect=0, interactive=0, optimize=0, dont_write_bytecode=0, no_user_site=0, no_site=0, ignore_environment=0, verbose=0, bytes_warning=0, quiet=0, hash_randomization=1, isolated=0)[1/1] test_urllib2_localnettest_basic_auth_httperror (test.test_urllib2_localnet.BasicAuthTests) ... oktest_basic_auth_success (test.test_urllib2_localnet.BasicAuthTests) ... oktest_proxy_qop_auth_int_works_or_throws_urlerror (test.test_urllib2_localnet.ProxyAuthTests) ... oktest_proxy_qop_auth_works (test.test_urllib2_localnet.ProxyAuthTests) ... oktest_proxy_with_bad_password_raises_httperror (test.test_urllib2_localnet.ProxyAuthTests) ... oktest_proxy_with_no_password_raises_httperror (test.test_urllib2_localnet.ProxyAuthTests) ... oktest_200 (test.test_urllib2_localnet.TestUrlopen) ... oktest_200_with_parameters (test.test_urllib2_localnet.TestUrlopen) ... oktest_404 (test.test_urllib2_localnet.TestUrlopen) ... oktest_bad_address (test.test_urllib2_localnet.TestUrlopen) ... skipped "Use of the 'network' resource not enabled"test_basic (test.test_urllib2_localnet.TestUrlopen) ... oktest_chunked (test.test_urllib2_localnet.TestUrlopen) ... oktest_geturl (test.test_urllib2_localnet.TestUrlopen) ... oktest_https (test.test_urllib2_localnet.TestUrlopen) ... Got an error:[SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:600)stopping HTTPS serverjoining HTTPS threadERRORtest_https_sni (test.test_urllib2_localnet.TestUrlopen) ... Got an error:[SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:600)stopping HTTPS serverjoining HTTPS threadERRORtest_https_with_cadefault (test.test_urllib2_localnet.TestUrlopen) ... stopping HTTPS serverGot an error:[SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:600)joining HTTPS threadoktest_https_with_cafile (test.test_urllib2_localnet.TestUrlopen) ... Got an error:[SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:600)stopping HTTPS serverjoining HTTPS threadstopping HTTPS serverjoining HTTPS threadoktest_info (test.test_urllib2_localnet.TestUrlopen) ... oktest_iteration (test.test_urllib2_localnet.TestUrlopen) ... oktest_line_iteration (test.test_urllib2_localnet.TestUrlopen) ... oktest_redirection (test.test_urllib2_localnet.TestUrlopen) ... oktest_sending_headers (test.test_urllib2_localnet.TestUrlopen) ... ok======================================================================ERROR: test_https (test.test_urllib2_localnet.TestUrlopen)----------------------------------------------------------------------Traceback (most recent call last): File "/home/benjamin/dev/python/3.4/Lib/urllib/request.py", line 1182, in do_open h.request(req.get_method(), req.selector, req.data, headers) File "/home/benjamin/dev/python/3.4/Lib/http/client.py", line 1090, in request self._send_request(method, url, body, headers) File "/home/benjamin/dev/python/3.4/Lib/http/client.py", line 1128, in _send_request self.endheaders(body) File "/home/benjamin/dev/python/3.4/Lib/http/client.py", line 1086, in endheaders self._send_output(message_body) File "/home/benjamin/dev/python/3.4/Lib/http/client.py", line 924, in _send_output self.send(msg) File "/home/benjamin/dev/python/3.4/Lib/http/client.py", line 859, in send self.connect() File "/home/benjamin/dev/python/3.4/Lib/http/client.py", line 1230, in connect server_hostname=sni_hostname) File "/home/benjamin/dev/python/3.4/Lib/ssl.py", line 364, in wrap_socket _context=self) File "/home/benjamin/dev/python/3.4/Lib/ssl.py", line 584, in __init__ self.do_handshake() File "/home/benjamin/dev/python/3.4/Lib/ssl.py", line 811, in do_handshake self._sslobj.do_handshake()ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)During handling of the above exception, another exception occurred:Traceback (most recent call last): File "/home/benjamin/dev/python/3.4/Lib/test/test_urllib2_localnet.py", line 548, in test_https data = self.urlopen("https://localhost:%s/bizarre" % handler.port) File "/home/benjamin/dev/python/3.4/Lib/test/test_urllib2_localnet.py", line 455, in urlopen f = urllib.request.urlopen(url, data, *kwargs) File "/home/benjamin/dev/python/3.4/Lib/urllib/request.py", line 161, in urlopen return opener.open(url, data, timeout) File "/home/benjamin/dev/python/3.4/Lib/urllib/request.py", line 463, in open response = self._open(req, data) File "/home/benjamin/dev/python/3.4/Lib/urllib/request.py", line 481, in _open '_open', req) File "/home/benjamin/dev/python/3.4/Lib/urllib/request.py", line 441, in _call_chain result = func(args) File "/home/benjamin/dev/python/3.4/Lib/urllib/request.py", line 1225, in https_open context=self._context, check_hostname=self._check_hostname) File "/home/benjamin/dev/python/3.4/Lib/urllib/request.py", line 1184, in do_open raise URLError(err)urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)>======================================================================ERROR: test_https_sni (test.test_urllib2_localnet.TestUrlopen)----------------------------------------------------------------------Traceback (most recent call last): File "/home/benjamin/dev/python/3.4/Lib/urllib/request.py", line 1182, in do_open h.request(req.get_method(), req.selector, req.data, headers) File "/home/benjamin/dev/python/3.4/Lib/http/client.py", line 1090, in request self._send_request(method, url, body, headers) File "/home/benjamin/dev/python/3.4/Lib/http/client.py", line 1128, in _send_request self.endheaders(body) File "/home/benjamin/dev/python/3.4/Lib/http/client.py", line 1086, in endheaders self._send_output(message_body) File "/home/benjamin/dev/python/3.4/Lib/http/client.py", line 924, in _send_output self.send(msg) File "/home/benjamin/dev/python/3.4/Lib/http/client.py", line 859, in send self.connect() File "/home/benjamin/dev/python/3.4/Lib/http/client.py", line 1230, in connect server_hostname=sni_hostname) File "/home/benjamin/dev/python/3.4/Lib/ssl.py", line 364, in wrap_socket _context=self) File "/home/benjamin/dev/python/3.4/Lib/ssl.py", line 584, in __init__ self.do_handshake() File "/home/benjamin/dev/python/3.4/Lib/ssl.py", line 811, in do_handshake self._sslobj.do_handshake()ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)During handling of the above exception, another exception occurred:Traceback (most recent call last): File "/home/benjamin/dev/python/3.4/Lib/test/test_urllib2_localnet.py", line 587, in test_https_sni self.urlopen("https://localhost:%s" % handler.port) File "/home/benjamin/dev/python/3.4/Lib/test/test_urllib2_localnet.py", line 455, in urlopen f = urllib.request.urlopen(url, data, *kwargs) File "/home/benjamin/dev/python/3.4/Lib/urllib/request.py", line 161, in urlopen return opener.open(url, data, timeout) File "/home/benjamin/dev/python/3.4/Lib/urllib/request.py", line 463, in open response = self._open(req, data) File "/home/benjamin/dev/python/3.4/Lib/urllib/request.py", line 481, in _open '_open', req) File "/home/benjamin/dev/python/3.4/Lib/urllib/request.py", line 441, in _call_chain result = func(args) File "/home/benjamin/dev/python/3.4/Lib/urllib/request.py", line 1225, in https_open context=self._context, check_hostname=self._check_hostname) File "/home/benjamin/dev/python/3.4/Lib/urllib/request.py", line 1184, in do_open raise URLError(err)urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)>----------------------------------------------------------------------Ran 22 tests in 3.087s
msg230542 -(view)	Author: Alex Gaynor (alex)*	Date: 2014-11-03 15:28
Latest patch fixes the urllib2_localnet tests.
msg230548 -(view)	Author: Alex Gaynor (alex)*	Date: 2014-11-03 17:50
Fix for the failing test_ssl testes.
msg230554 -(view)	Author: Roundup Robot (python-dev)	Date: 2014-11-03 19:37
New changeset2afe5413d7af by Benjamin Peterson in branch '3.4':PEP 476: enable HTTPS certificate verification by default (#22417)https://hg.python.org/cpython/rev/2afe5413d7afNew changeset731375f83406 by Benjamin Peterson in branch 'default':merge 3.4 (#22417)https://hg.python.org/cpython/rev/731375f83406
msg230556 -(view)	Author: Benjamin Peterson (benjamin.peterson)*	Date: 2014-11-03 19:39
Okay, 3.4/3.5 have been dealt with. I had to hack up test_logging a bit. (#22788 would make that better). 2.7 now needs a backport.
msg230568 -(view)	Author: Benjamin Peterson (benjamin.peterson)*	Date: 2014-11-03 22:41
Somehow the Windows bots are failing to verify python.orghttp://buildbot.python.org/all/builders/x86%20XP-4%203.x/builds/11179/steps/test/logs/stdio
msg231140 -(view)	Author: Kubilay Kocak (koobs)	Date: 2014-11-13 23:20
Builds failing on koobs-freebsd9 buildbot for:3.x: since revisionb2c17681404f80edae2ee4846db701104d942cc43.4: since revision246c9570a75798a4757001620cf92cc8d2eba684 Attaching both initial build failure test logs.
msg231583 -(view)	Author: Alex Gaynor (alex)*	Date: 2014-11-23 23:30
Attached patch backports this to 2.7.
msg231592 -(view)	Author: Roundup Robot (python-dev)	Date: 2014-11-24 03:02
New changesetfb83916c3ea1 by Benjamin Peterson in branch '2.7':pep 476: verify certificates by default (#22417)https://hg.python.org/cpython/rev/fb83916c3ea1
msg284604 -(view)	Author: Carlos Alberto Lopez Perez (clopez)	Date: 2017-01-04 00:58
The python 2.7 documentation for urrlib still has a big warning notice at the top saying:"""WarningWhen opening HTTPS URLs, it does not attempt to validate the server certificate. Use at your own risk! """^^https://docs.python.org/2/library/urllib.htmlI believe this is incorrect since this patch was backported to the 2.7 branch. I checked it, and it verifies SSL certs by default.I guess the documentation for urllib should be updated to remove that warning?
msg284623 -(view)	Author: Christian Heimes (christian.heimes)*	Date: 2017-01-04 09:42
Carlos, you are correct. Please create a new issue and make it a documentation issue for 2.7. Thanks!

History
Date	User	Action	Args
2022-04-11 14:58:08	admin	set	github: 66607
2017-01-04 09:42:57	christian.heimes	set	messages: +msg284623
2017-01-04 00:58:14	clopez	set	nosy: +clopez messages: +msg284604
2014-11-24 04:58:27	benjamin.peterson	set	status: open -> closed resolution: fixed
2014-11-24 03:02:23	python-dev	set	messages: +msg231592
2014-11-23 23:30:09	alex	set	files: +issue22417.diff messages: +msg231583
2014-11-13 23:20:23	koobs	set	files: +koobs-freebsd9.python3x-build2357.log nosy: +koobs messages: +msg231140
2014-11-03 22:41:25	benjamin.peterson	set	messages: +msg230568
2014-11-03 19:39:45	benjamin.peterson	set	messages: +msg230556
2014-11-03 19:37:21	python-dev	set	nosy: +python-dev messages: +msg230554
2014-11-03 17:50:52	alex	set	files: +issue22417.diff messages: +msg230548
2014-11-03 15:28:41	alex	set	files: +issue22417.diff messages: +msg230542
2014-11-03 15:21:23	benjamin.peterson	set	messages: +msg230541
2014-11-02 18:13:27	alex	set	files: +issue22417.diff messages: +msg230512
2014-11-01 04:18:47	alex	set	files: +issue22417.diff messages: +msg230428
2014-10-31 01:32:55	alex	set	files: +issue22417.diff messages: +msg230317
2014-10-30 19:00:28	alex	set	files: +issue22417.diff messages: +msg230288
2014-10-13 17:27:23	alex	set	keywords: +needs review files: +issue22417.diff messages: +msg229255
2014-10-13 08:18:40	raulcd	set	nosy: +raulcd
2014-09-25 23:38:14	jcea	set	nosy: +jcea
2014-09-21 09:02:51	Arfrever	set	nosy: +Arfrever
2014-09-20 17:29:09	christian.heimes	set	nosy: +christian.heimes
2014-09-19 13:38:56	ncoghlan	set	priority: high -> deferred blocker dependencies: +urllib.request.urlopen should take a "context" (SSLContext) argument assignee:alex versions: + Python 2.7, Python 3.4, Python 3.5 nosy: +benjamin.peterson messages: +msg227093
2014-09-18 18:06:57	jwilk	set	nosy: +jwilk
2014-09-17 08:57:25	orsenthil	set	nosy: +orsenthil
2014-09-15 16:39:08	alex	set	nosy: +dstufft
2014-09-15 12:34:29	ncoghlan	create

Supported byThe Python Software Foundation,
Powered byRoundup