Open tiran opened 11 years ago
Python's ssl module doesn't support OCSP [1]. The example code at [2] doesn't look too complicated. We should consider OCSP at least for 3.4 and may want to backport it to older versions to prevent MITM attacks on PyPI downloads.
[1]http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol) [2] http://etutorials.org/Programming/secure+programming/Chapter+10.+Public+Key+Infrastructure/10.12+Checking+Revocation+Status+via+OCSP+with+OpenSSL/
Can you explain how OCSP helps prevent MITM attacks?
----- Mail original -----
De: "Christian Heimes" \report@bugs.python.org\ À: pitrou@free.fr Envoyé: Lundi 4 Février 2013 17:14:32 Objet: [bpo-17123] Add OCSP support to ssl module
New submission from Christian Heimes:
Python's ssl module doesn't support OCSP [1]. The example code at [2] doesn't look too complicated. We should consider OCSP at least for 3.4 and may want to backport it to older versions to prevent MITM attacks on PyPI downloads.
OCSP can prevent MITM attacks when the private server cert or CA cert got compromised or stolen somehow.
Christian, I really don't agree this should be a release blocker, and especially not for bugfix branches.
I won't have time for a proper implementation for 3.4. Defer to 3.5
I'll add OCSP stapling verification to 3.7.
It would be great to see at least minimal OCSP stapling support (in the form of callbacks on the client and server sides) availabl in the ssl module, similar to the way that pyopenssl has added such callbacks:
https://github.com/pyca/pyopenssl/pull/580
If that was present in the ssl module, then it would let other implementations supply reasonable callback functionality for fetching and relaying stapled OCSP responses (on the server side) and validating in-band OCSP responses (on the client side).
Considering OSCP has fallen out of favor relative to CT in recent years, may be should simply reject this feature request.
OCSP is the only way Let's Encrypt supports revocation. It would be really useful to have stapling verification supported in the standard library, even just the callback support PyOpenSSL supports.
On Thu 2019-10-10 01:38:42 +0000, Benjamin Peterson wrote:
Considering OSCP has fallen out of favor relative to CT in recent years, may be should simply reject this feature request.
CT provides the possibility of a website operator to *detect* CA malfeasance.
OCSP provides a live "proof of freshness" of the certificate at a cadence significantly shorter than the lifetime of most certificates (even the 90-day certificates offered by ACME-driven CAs like Let's Encrypt).
These are orthogonal, and mutually-reinforcing mechanisms, not competing mechanisms.
--dkg
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields: ```python assignee = 'https://github.com/tiran' closed_at = None created_at =
labels = ['extension-modules', 'expert-SSL', 'type-feature', '3.8']
title = 'Add OCSP support to ssl module'
updated_at =
user = 'https://github.com/tiran'
```
bugs.python.org fields:
```python
activity =
actor = 'dkg'
assignee = 'christian.heimes'
closed = False
closed_date = None
closer = None
components = ['Extension Modules', 'SSL']
creation =
creator = 'christian.heimes'
dependencies = []
files = []
hgrepos = []
issue_num = 17123
keywords = []
message_count = 10.0
messages = ['181341', '181353', '181354', '181372', '200763', '275045', '354292', '354306', '354756', '354825']
nosy_count = 11.0
nosy_names = ['barry', 'georg.brandl', 'jcea', 'pitrou', 'christian.heimes', 'benjamin.peterson', 'Arfrever', 'pconnell', 'dkg', 'behackett', 'ShaneHarvey']
pr_nums = []
priority = 'normal'
resolution = None
stage = 'needs patch'
status = 'open'
superseder = None
type = 'enhancement'
url = 'https://bugs.python.org/issue17123'
versions = ['Python 3.8']
```