search

python / cpython

The Python programming language
https://www.python.org/
Other
60.9k stars 29.4k forks source link

Add OCSP support to ssl module #61325

Open tiran opened 11 years ago

tiran commented 11 years ago
BPO 17123
Nosy @warsaw, @birkenfeld, @jcea, @pitrou, @tiran, @benjaminp, @phmc, @dkg, @ShaneHarvey

Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

Show more details

GitHub fields: ```python assignee = 'https://github.com/tiran' closed_at = None created_at = labels = ['extension-modules', 'expert-SSL', 'type-feature', '3.8'] title = 'Add OCSP support to ssl module' updated_at = user = 'https://github.com/tiran' ``` bugs.python.org fields: ```python activity = actor = 'dkg' assignee = 'christian.heimes' closed = False closed_date = None closer = None components = ['Extension Modules', 'SSL'] creation = creator = 'christian.heimes' dependencies = [] files = [] hgrepos = [] issue_num = 17123 keywords = [] message_count = 10.0 messages = ['181341', '181353', '181354', '181372', '200763', '275045', '354292', '354306', '354756', '354825'] nosy_count = 11.0 nosy_names = ['barry', 'georg.brandl', 'jcea', 'pitrou', 'christian.heimes', 'benjamin.peterson', 'Arfrever', 'pconnell', 'dkg', 'behackett', 'ShaneHarvey'] pr_nums = [] priority = 'normal' resolution = None stage = 'needs patch' status = 'open' superseder = None type = 'enhancement' url = 'https://bugs.python.org/issue17123' versions = ['Python 3.8'] ```

tiran commented 11 years ago

Python's ssl module doesn't support OCSP [1]. The example code at [2] doesn't look too complicated. We should consider OCSP at least for 3.4 and may want to backport it to older versions to prevent MITM attacks on PyPI downloads.

[1]http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol) [2] http://etutorials.org/Programming/secure+programming/Chapter+10.+Public+Key+Infrastructure/10.12+Checking+Revocation+Status+via+OCSP+with+OpenSSL/

pitrou commented 11 years ago

Can you explain how OCSP helps prevent MITM attacks?

----- Mail original -----

De: "Christian Heimes" \report@bugs.python.org\ À: pitrou@free.fr Envoyé: Lundi 4 Février 2013 17:14:32 Objet: [bpo-17123] Add OCSP support to ssl module

New submission from Christian Heimes:

Python's ssl module doesn't support OCSP [1]. The example code at [2] doesn't look too complicated. We should consider OCSP at least for 3.4 and may want to backport it to older versions to prevent MITM attacks on PyPI downloads.

tiran commented 11 years ago

OCSP can prevent MITM attacks when the private server cert or CA cert got compromised or stolen somehow.

pitrou commented 11 years ago

Christian, I really don't agree this should be a release blocker, and especially not for bugfix branches.

tiran commented 10 years ago

I won't have time for a proper implementation for 3.4. Defer to 3.5

tiran commented 7 years ago

I'll add OCSP stapling verification to 3.7.

39c07e1b-89c0-4d3a-896b-96ef642f9223 commented 4 years ago

It would be great to see at least minimal OCSP stapling support (in the form of callbacks on the client and server sides) availabl in the ssl module, similar to the way that pyopenssl has added such callbacks:

https://github.com/pyca/pyopenssl/pull/580

If that was present in the ssl module, then it would let other implementations supply reasonable callback functionality for fetching and relaying stapled OCSP responses (on the server side) and validating in-band OCSP responses (on the client side).

benjaminp commented 4 years ago

Considering OSCP has fallen out of favor relative to CT in recent years, may be should simply reject this feature request.

311eef77-bab8-48e0-b836-68a7a1f4c797 commented 4 years ago

OCSP is the only way Let's Encrypt supports revocation. It would be really useful to have stapling verification supported in the standard library, even just the callback support PyOpenSSL supports.

https://letsencrypt.org/docs/revoking/

39c07e1b-89c0-4d3a-896b-96ef642f9223 commented 4 years ago

On Thu 2019-10-10 01:38:42 +0000, Benjamin Peterson wrote:

Considering OSCP has fallen out of favor relative to CT in recent years, may be should simply reject this feature request.

CT provides the possibility of a website operator to *detect* CA malfeasance.

OCSP provides a live "proof of freshness" of the certificate at a cadence significantly shorter than the lifetime of most certificates (even the 90-day certificates offered by ACME-driven CAs like Let's Encrypt).

These are orthogonal, and mutually-reinforcing mechanisms, not competing mechanisms.

  --dkg