Message 281260 - Python tracker

Message281260

Author	christian.heimes
Recipients	christian.heimes, ned.deily, steve.dower
Date	2016-11-20.10:52:07
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1479639127.99.0.61288628058.issue28747@psf.upfronthosting.co.za>
In-reply-to

Content
IMHO SSL CTX set cert verify callback() is the wrong approach. Your are completely bypassing cert validation checks of OpenSSL. The callback has to build the chain and perform all checks on its own. By all checks I literally mean all, https://wiki.openssl.org/index.php/Manual:SSL_CTX_set_cert_verify_callback(3)#WARNINGS Basically you want to replace OpenSSL's X509 verification with Windows' cert validation and just leave the handshake and encryption to OpenSSL?

Content

IMHO SSL CTX set cert verify callback() is the wrong approach. Your are completely bypassing cert validation checks of OpenSSL. The callback has to build the chain and perform all checks on its own. By all checks I literally mean *all*, https://wiki.openssl.org/index.php/Manual:SSL_CTX_set_cert_verify_callback(3)#WARNINGS

Basically you want to replace OpenSSL's X509 verification with Windows' cert validation and just leave the handshake and encryption to OpenSSL?

History
Date	User	Action	Args
2016-11-20 10:52:08	christian.heimes	set	recipients: + christian.heimes, ned.deily, steve.dower
2016-11-20 10:52:07	christian.heimes	set	messageid: <1479639127.99.0.61288628058.issue28747@psf.upfronthosting.co.za>
2016-11-20 10:52:07	christian.heimes	link	issue28747 messages
2016-11-20 10:52:07	christian.heimes	create