[issue18735] SSL/TLS pinning for the ssl module

Jesús Cea Avión added the comment: This technique is used in Mercurial and I use it in my projects too. -- ___ Python tracker ___ ___

[issue18735] SSL/TLS pinning for the ssl module

Changes by Jesús Cea Avión : -- nosy: +jcea ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.

[issue18735] SSL/TLS pinning for the ssl module

raymontag added the comment: Great, that matches my needs exactly -- ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscr

[issue18735] SSL/TLS pinning for the ssl module

Antoine Pitrou added the comment: > sha256(conn.getpeercert(True)) works until the cert gets e.g. more > SAN fields. Indeed, that's simply comparing the certificate by binary value. At this point you don't even need a CA anymore, I guess :-) -- ___ P

[issue18735] SSL/TLS pinning for the ssl module

raymontag added the comment: That's not a good idea, a serial number could be faked. -- ___ Python tracker ___ ___ Python-bugs-list ma

[issue18735] SSL/TLS pinning for the ssl module

Christian Heimes added the comment: sha256(conn.getpeercert(True)) works until the cert gets e.g. more SAN fields. -- ___ Python tracker ___ _

[issue18735] SSL/TLS pinning for the ssl module

Antoine Pitrou added the comment: > Are there at this moment other possibilities to implement pinning > myself with the options the module provides me? I don't think so. Perhaps you could use the serialNumber, but I'm not sure how safe it is, even when restricting to a single CA cert. -

[issue18735] SSL/TLS pinning for the ssl module

raymontag added the comment: Yeah, this was my first idea, too. Are there at this moment other possibilities to implement pinning myself with the options the module provides me? -- ___ Python tracker

[issue18735] SSL/TLS pinning for the ssl module

Christian Heimes added the comment: getpeercert() doesn't return Subject Public Key Info yet. It's on my TODO list. Chrome uses SPKI (PK algo + mod + exp) to pin certs, https://www.imperialviolet.org/2011/05/04/pinning.html -- ___ Python tracker

[issue18735] SSL/TLS pinning for the ssl module

Antoine Pitrou added the comment: If you want to check for a specific server certificate, then I guess it should be enough to expose the cert's fingerprint in the data returned by getpeercert(). -- ___ Python tracker

[issue18735] SSL/TLS pinning for the ssl module

raymontag added the comment: Yep, that's exactly what I meant :) -- resolution: -> duplicate status: open -> closed ___ Python tracker ___ __

[issue18735] SSL/TLS pinning for the ssl module

Christian Heimes added the comment: TLS cert pinning should be possible with the implementation of #18293 -- nosy: +christian.heimes, giampaolo.rodola, janssen, pitrou stage: -> needs patch versions: +Python 3.4 ___ Python tracker

[issue18735] SSL/TLS pinning for the ssl module

New submission from raymontag: Hello, I would like to see an implementation for SSL/TLS pinning in the sll module of the standard library. At this moment it's only possible to give the client a CAcert and check if the server's certificate is signed with this CA by creating a ssl.Context objec