Mailing-List: contact dev-help@thrift.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@thrift.apache.org
Date: Sat, 19 Mar 2011 23:42:29 +0000 (UTC)
From: "Will Pierce (JIRA)" <jira@apache.org>
To: dev@thrift.apache.org
Message-ID: 
 <1785298743.13951.1300578149552.JavaMail.tomcat@hel.zones.apache.org>
In-Reply-To: 
 <1621703731.13949.1300577790085.JavaMail.tomcat@hel.zones.apache.org>
Subject: [jira] Updated: (THRIFT-1100) python TSSLSocket improvements,
 including certificate validation
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit


     [ https://issues.apache.org/jira/browse/THRIFT-1100?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Will Pierce updated THRIFT-1100:
--------------------------------

    Attachment: THRIFT-1100.python_ssl_enhance_and_cert_validate.patch

patch attached:
adds lots of code to lib/py/src/transport/TSSLSocket.py and touches 2 lines in lib/py/src/transport/TSocket.py


> python TSSLSocket improvements, including certificate validation
> ----------------------------------------------------------------
>
>                 Key: THRIFT-1100
>                 URL: https://issues.apache.org/jira/browse/THRIFT-1100
>             Project: Thrift
>          Issue Type: Improvement
>          Components: Python - Library
>            Reporter: Will Pierce
>            Assignee: Will Pierce
>         Attachments: THRIFT-1100.python_ssl_enhance_and_cert_validate.patch
>
>
> The python TSSLSocket.py module has TSSLSocket and TSSLServerSocket for outbound and inbound SSL connection wrapping.
> This ticket is for a patch that makes several improvements:
> * adds Apache license at top of file
> * for outbound sockets, SSL certificate validation is now performed by default
> ** but may be disabled with validate=False in the constructor
> ** instructs python's ssl library to perform CERT_REQUIRED validation of the certificate
> ** also checks to make sure the certificate's {{commonName}} matches the hostname we tried to connect to
> ** raises TTransportExceptions when the certificate fails validation - tested using google's www.gmail.com (doesnt match) versus mail.google.com (matched cert commonName)
> ** puts a copy of the peer certificate in self.peercert, regardless of validation status
> ** sets a public boolean self.is_valid member variable to indicate whether the certificate was validated or not
> * adds a configurable server certificate file, as a constructor argument {{certfile}}
> ** allows runtime changing of server cert with setCertfile() on the server, that changes the certfile used in subsequent ssl_wrap() calls
> ** exposes a class-level variable SSL_PROTOCOL to let the user select ssl.PROTOCOL_TLSv1 or other versions of SSL, instead of hard-coding TLSv1.  Defaults to TLSv1 though.
> * removes unnecessary sys.path modification
> * adds lots of docstrings
> In a somewhat unrelated change, this patch changes two lines in TSocket.py where self.handle is compared to None using {{!=}} instead of: {{is not}}.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira