thrift-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Will Pierce (JIRA)" <>
Subject [jira] Updated: (THRIFT-1100) python TSSLSocket improvements, including certificate validation
Date Sat, 19 Mar 2011 23:42:29 GMT


Will Pierce updated THRIFT-1100:

    Attachment: THRIFT-1100.python_ssl_enhance_and_cert_validate.patch

patch attached:
adds lots of code to lib/py/src/transport/ and touches 2 lines in lib/py/src/transport/

> python TSSLSocket improvements, including certificate validation
> ----------------------------------------------------------------
>                 Key: THRIFT-1100
>                 URL:
>             Project: Thrift
>          Issue Type: Improvement
>          Components: Python - Library
>            Reporter: Will Pierce
>            Assignee: Will Pierce
>         Attachments: THRIFT-1100.python_ssl_enhance_and_cert_validate.patch
> The python module has TSSLSocket and TSSLServerSocket for outbound and
inbound SSL connection wrapping.
> This ticket is for a patch that makes several improvements:
> * adds Apache license at top of file
> * for outbound sockets, SSL certificate validation is now performed by default
> ** but may be disabled with validate=False in the constructor
> ** instructs python's ssl library to perform CERT_REQUIRED validation of the certificate
> ** also checks to make sure the certificate's {{commonName}} matches the hostname we
tried to connect to
> ** raises TTransportExceptions when the certificate fails validation - tested using google's (doesnt match) versus (matched cert commonName)
> ** puts a copy of the peer certificate in self.peercert, regardless of validation status
> ** sets a public boolean self.is_valid member variable to indicate whether the certificate
was validated or not
> * adds a configurable server certificate file, as a constructor argument {{certfile}}
> ** allows runtime changing of server cert with setCertfile() on the server, that changes
the certfile used in subsequent ssl_wrap() calls
> ** exposes a class-level variable SSL_PROTOCOL to let the user select ssl.PROTOCOL_TLSv1
or other versions of SSL, instead of hard-coding TLSv1.  Defaults to TLSv1 though.
> * removes unnecessary sys.path modification
> * adds lots of docstrings
> In a somewhat unrelated change, this patch changes two lines in where self.handle
is compared to None using {{!=}} instead of: {{is not}}.

This message is automatically generated by JIRA.
For more information on JIRA, see:

View raw message