thrift-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Will Pierce (JIRA)" <j...@apache.org>
Subject [jira] Updated: (THRIFT-1100) python TSSLSocket improvements, including certificate validation
Date Sat, 19 Mar 2011 23:42:29 GMT

     [ https://issues.apache.org/jira/browse/THRIFT-1100?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Will Pierce updated THRIFT-1100:
--------------------------------

    Attachment: THRIFT-1100.python_ssl_enhance_and_cert_validate.patch

patch attached:
adds lots of code to lib/py/src/transport/TSSLSocket.py and touches 2 lines in lib/py/src/transport/TSocket.py


> python TSSLSocket improvements, including certificate validation
> ----------------------------------------------------------------
>
>                 Key: THRIFT-1100
>                 URL: https://issues.apache.org/jira/browse/THRIFT-1100
>             Project: Thrift
>          Issue Type: Improvement
>          Components: Python - Library
>            Reporter: Will Pierce
>            Assignee: Will Pierce
>         Attachments: THRIFT-1100.python_ssl_enhance_and_cert_validate.patch
>
>
> The python TSSLSocket.py module has TSSLSocket and TSSLServerSocket for outbound and
inbound SSL connection wrapping.
> This ticket is for a patch that makes several improvements:
> * adds Apache license at top of file
> * for outbound sockets, SSL certificate validation is now performed by default
> ** but may be disabled with validate=False in the constructor
> ** instructs python's ssl library to perform CERT_REQUIRED validation of the certificate
> ** also checks to make sure the certificate's {{commonName}} matches the hostname we
tried to connect to
> ** raises TTransportExceptions when the certificate fails validation - tested using google's
www.gmail.com (doesnt match) versus mail.google.com (matched cert commonName)
> ** puts a copy of the peer certificate in self.peercert, regardless of validation status
> ** sets a public boolean self.is_valid member variable to indicate whether the certificate
was validated or not
> * adds a configurable server certificate file, as a constructor argument {{certfile}}
> ** allows runtime changing of server cert with setCertfile() on the server, that changes
the certfile used in subsequent ssl_wrap() calls
> ** exposes a class-level variable SSL_PROTOCOL to let the user select ssl.PROTOCOL_TLSv1
or other versions of SSL, instead of hard-coding TLSv1.  Defaults to TLSv1 though.
> * removes unnecessary sys.path modification
> * adds lots of docstrings
> In a somewhat unrelated change, this patch changes two lines in TSocket.py where self.handle
is compared to None using {{!=}} instead of: {{is not}}.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message