Differences between revisions 3 and 4
Revision 3 as of 2010-11-09 18:24:01
Size: 1227
Editor: techtonik
Comment: explain how to eavesdrop Python 2.x ssl connections
Revision 4 as of 2010-11-09 18:25:22
Size: 1241
Editor: techtonik
Comment: speling
Deletions are marked like this. Additions are marked like this.
Line 8: Line 8:
SSL module from http://pypi.python.org/pypi/ssl is bundled with installer. It has a serious security issue that allows successful MITM attack using valid certificate from an other site - http://bugs.python.org/issue1589 Basically, the module validates that certificate is correct and correctly signed by root certificate, but it does not check that it actually belong to the connected site, i.e. that site name match the one specified in certificate. SSL module from http://pypi.python.org/pypi/ssl is bundled with installer. It has a serious security issue that allows successful MITM attack using valid certificate from an other site - http://bugs.python.org/issue1589 Basically, the module validates that certificate is correct and correctly signed by root certificate, but it does not check that certificate actually belongs to the connected site, i.e. that site name matches the name specified in certificate.
Line 17: Line 17:
=== Get updated list of root certificates == === Get updated list of root certificates ===

SSL stands for Secure Sockets Layer and is designed to create secure connection between client and server. Secure means that connection is encrypted and therefore protected from eavesdropping. It also allows to validate server identity.

SSL libraries availability and limitations

  • Python 2.5 (the version AppEngine is running)

SSL support is available from http://pypi.python.org/pypi/ssl Unfortunately, there are no binaries for Windows, and that's a major showstopper when using Python 2.5.

  • Python 2.6

SSL module from http://pypi.python.org/pypi/ssl is bundled with installer. It has a serious security issue that allows successful MITM attack using valid certificate from an other site - http://bugs.python.org/issue1589 Basically, the module validates that certificate is correct and correctly signed by root certificate, but it does not check that certificate actually belongs to the connected site, i.e. that site name matches the name specified in certificate.

Validating server identity

Client need to connect to server over SSL, fetch its certificate and check that the certificate indeed belongs to this server (server name). 



Get updated list of root certificates


SSL  (last edited 2010-11-21 08:55:53 by techtonik)










Unable to edit the page? See the FrontPage for instructions.