Commit 3e509b16 authored by Vincent Pelletier's avatar Vincent Pelletier

http: Update comment about CRL verification by socket ssl context.

parent 7b9f6e2a
...@@ -226,15 +226,13 @@ def getSSLContext( ...@@ -226,15 +226,13 @@ def getSSLContext(
# If a client wishes to use https for unauthenticated operations, that's # If a client wishes to use https for unauthenticated operations, that's
# fine too. # fine too.
ssl_context.verify_mode = ssl.CERT_OPTIONAL ssl_context.verify_mode = ssl.CERT_OPTIONAL
# Note: it does not seem possible to get python's openssl context to check # Note: python's standard ssl module does not provide a way to replace the
# certificate revocation: # current CRL file on an existing openssl context: load_verify_locations ends
# - calling load_verify_locations(cadata=<crl data>) or # up calling X509_STORE_add_crl, which either adds the CRL to its list of
# load_verify_locations(cadata=<crl data> + <ca crt data>) raises # files or rejects the file. So either memory usage with increase until
# - calling load_verify_locations(cadata=<ca crt data> + <crl data>) fails to # context gets renewed, or we get stuck with an old CRL. So expect wsgi
# validate CA completely # application to implement these checks on its own when accessing client's
# Anyway, wsgi application level is supposed (and automatically tested to) # certificate.
# verify revocations too, so this should not be a big issue... Still,
# implementation cross-check would have been nice.
#ssl_context.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF #ssl_context.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF
ssl_context.load_verify_locations( ssl_context.load_verify_locations(
cadata=utils.toUnicode(cau.getCACertificate()), cadata=utils.toUnicode(cau.getCACertificate()),
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment