Open achow101 opened 3 years ago
@achow101 :100: agree
I came across the same issue which led me to raise #36 as it seems there are at least 3 certificate chain validation issues with this library.
i.e. 3 concerns that I looked into, I stopped due to 3 of 3 failures identified. There are very likely more cert chain validation issues present
The facts of this whole issue:
pyOpenSSL
are just bindings for OpenSSL for this issuecertifi
and everything based from it urlib
requests
etc. doesn't do validation at all, period (if the https response was validated by OpenSSL and has data, then no one cares about actually validating any certs)asn1crypto
similar to pyOpenSSL
which this library knows well as it is built upon asn1crypto
to add the missing validations..cryptography
again similar to pyOpenSSL
however they at least debated this for quite a few years to no plan to start a solutionSo it is a very sorry state for certification validation, and why we are seeing so many breaches, no one actually uses TLS properly anywhere, it's all smoke and mirrors.
@wbond any chance you'd be interested in reviewing / merging this change?
Some certificates will contain critical extensions that certvalidator doesn't know about. If the caller knows those critical extensions, it can pass them into ValidationContext so that validate_path doesn't error when it gets to the critical extensions check.