Commit 3e509b16 by Vincent Pelletier

http: Update comment about CRL verification by socket ssl context.

1 parent 7b9f6e2a
......@@ -226,15 +226,13 @@ def getSSLContext(
# If a client wishes to use https for unauthenticated operations, that's
# fine too.
ssl_context.verify_mode = ssl.CERT_OPTIONAL
# Note: it does not seem possible to get python's openssl context to check
# certificate revocation:
# - calling load_verify_locations(cadata=<crl data>) or
# load_verify_locations(cadata=<crl data> + <ca crt data>) raises
# - calling load_verify_locations(cadata=<ca crt data> + <crl data>) fails to
# validate CA completely
# Anyway, wsgi application level is supposed (and automatically tested to)
# verify revocations too, so this should not be a big issue... Still,
# implementation cross-check would have been nice.
# Note: python's standard ssl module does not provide a way to replace the
# current CRL file on an existing openssl context: load_verify_locations ends
# up calling X509_STORE_add_crl, which either adds the CRL to its list of
# files or rejects the file. So either memory usage with increase until
# context gets renewed, or we get stuck with an old CRL. So expect wsgi
# application to implement these checks on its own when accessing client's
# certificate.
#ssl_context.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF
ssl_context.load_verify_locations(
cadata=utils.toUnicode(cau.getCACertificate()),
......
Styling with Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!