Message10511

Author	zyasoft
Recipients	darjus, zyasoft
Date	2015-11-28.02:16:08
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1448676969.74.0.782651108354.issue2390@psf.upfronthosting.co.za>
In-reply-to

Content
Now blocking 2.7.1 In looking at #2437, I reviewed specifics of our SSL negotiation as changed for implementing SSLContext support and noticed we have introduced a regression compared to Jython 2.7.0: def _createSSLEngine(self): trust_managers = [NoVerifyX509TrustManager()] if self.verify_mode == CERT_REQUIRED: tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()) tmf.init(self._trust_store) trust_managers = tmf.getTrustManagers() if self._key_managers is None: # get an e self._context.init(_get_openssl_key_manager().getKeyManagers(), trust_managers, None) else: self._context.init(self._key_managers.getKeyManagers(), trust_managers, None) engine = self._context.createSSLEngine() if self._ciphers is not None: engine.setEnabledCipherSuites(self._ciphers) return engine The problem is in the use of NoVerifyX509TrustManager. This was intended to support being able to turn off SSL validation, but it should only be done in the context of implementing https://www.python.org/dev/peps/pep-0476, specifically support in https://www.python.org/dev/peps/pep-0476/#opting-out for monkey patching SSL so that it is possible to not validate certs, but only with some work by a developer. Such opt-in monkeypatching should use ssl._create_unverified_context (to be implemented). This validation change is a regression, because Jython in the past used Java's underlying cert validation by default, which matches latest CPython support, again as specified by PEP 476. One thing we should also consider is backporting CPython 2.7.10 (or latest) version of test_ssl and supporting files, which adds support for testing cert verification.

Now blocking 2.7.1

In looking at #2437, I reviewed specifics of our SSL negotiation as changed for implementing SSLContext support and noticed we have introduced a regression compared to Jython 2.7.0:

    def _createSSLEngine(self):
        trust_managers = [NoVerifyX509TrustManager()]
        if self.verify_mode == CERT_REQUIRED:
            tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
            tmf.init(self._trust_store)
            trust_managers = tmf.getTrustManagers()

        if self._key_managers is None:  # get an e
            self._context.init(_get_openssl_key_manager().getKeyManagers(), trust_managers, None)
        else:
            self._context.init(self._key_managers.getKeyManagers(), trust_managers, None)

        engine = self._context.createSSLEngine()

        if self._ciphers is not None:
            engine.setEnabledCipherSuites(self._ciphers)

        return engine

The problem is in the use of NoVerifyX509TrustManager. This was intended to support being able to turn off SSL validation, but it should only be done in the context of implementing https://www.python.org/dev/peps/pep-0476, specifically support in https://www.python.org/dev/peps/pep-0476/#opting-out for monkey patching SSL so that it is possible to not validate certs, but only with some work by a developer. Such opt-in monkeypatching should use ssl._create_unverified_context (to be implemented).

This validation change is a regression, because Jython in the past used Java's underlying cert validation by default, which matches *latest* CPython support, again as specified by PEP 476.

One thing we should also consider is backporting CPython 2.7.10 (or latest) version of test_ssl and supporting files, which adds support for testing cert verification.

History
Date	User	Action	Args
2015-11-28 02:16:09	zyasoft	set	messageid: <1448676969.74.0.782651108354.issue2390@psf.upfronthosting.co.za>
2015-11-28 02:16:09	zyasoft	set	recipients: + zyasoft, darjus
2015-11-28 02:16:09	zyasoft	link	issue2390 messages
2015-11-28 02:16:08	zyasoft	create