diff options
| author | William Woodruff <william@yossarian.net> | 2024-03-06 16:44:58 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-03-06 13:44:58 -0800 |
| commit | 0876b921b28bb14e3fa61b188e52fc9b4c77cb1a (patch) | |
| tree | 62bc49024ede52d872ea9a270390bb338709b653 /Lib/ssl.py | |
| parent | ea1803e608a7aaf9cf2c07e510d8540d46d3b9ad (diff) | |
| download | cpython-0876b921b28bb14e3fa61b188e52fc9b4c77cb1a.tar.gz cpython-0876b921b28bb14e3fa61b188e52fc9b4c77cb1a.zip | |
gh-107361: strengthen default SSL context flags (#112389)
This adds `VERIFY_X509_STRICT` to make the default
SSL context perform stricter (per RFC 5280) validation, as well
as `VERIFY_X509_PARTIAL_CHAIN` to enforce more standards-compliant
path-building behavior.
As part of this changeset, I had to tweak `make_ssl_certs.py`
slightly to emit 5280-conforming CA certs. This changeset includes
the regenerated certificates after that change.
Signed-off-by: William Woodruff <william@yossarian.net>
Co-authored-by: Victor Stinner <vstinner@python.org>
Diffstat (limited to 'Lib/ssl.py')
| -rw-r--r-- | Lib/ssl.py | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/Lib/ssl.py b/Lib/ssl.py index 03d0121891f..cc685c2cc40 100644 --- a/Lib/ssl.py +++ b/Lib/ssl.py @@ -704,6 +704,16 @@ def create_default_context(purpose=Purpose.SERVER_AUTH, *, cafile=None, else: raise ValueError(purpose) + # `VERIFY_X509_PARTIAL_CHAIN` makes OpenSSL's chain building behave more + # like RFC 3280 and 5280, which specify that chain building stops with the + # first trust anchor, even if that anchor is not self-signed. + # + # `VERIFY_X509_STRICT` makes OpenSSL more conservative about the + # certificates it accepts, including "disabling workarounds for + # some broken certificates." + context.verify_flags |= (_ssl.VERIFY_X509_PARTIAL_CHAIN | + _ssl.VERIFY_X509_STRICT) + if cafile or capath or cadata: context.load_verify_locations(cafile, capath, cadata) elif context.verify_mode != CERT_NONE: |