2012-09-06 21:14:53 |
Jamie Strandboge |
description |
The following program (based on http://code.google.com/p/urllib3/wiki/Examples) can be easily MITMd:
#!/usr/bin/python
from urllib3 import HTTPSConnectionPool
http_pool = VerifiedHTTPSConnection('www.google.com')
r = http_pool.urlopen('GET', '/', redirect=False)
print r.status, r.headers.get('location')
r = http_pool.urlopen('GET', '/', redirect=True)
print r.status, len(r.data)
Changing it to use:
http_pool = HTTPSConnectionPool('www.google.com', strict=False, cert_reqs='CERT_REQUIRED', ca_certs='/etc/ssl/certs/ca-certificates.crt')
Results in urllib3 properly verifying certificates. python-urllib3 should use secure defaults and perform certificate verification unless an application author tells it not to. |
The following program (based on http://code.google.com/p/urllib3/wiki/Examples) can be easily MITMd:
#!/usr/bin/python
from urllib3 import HTTPSConnectionPool
http_pool = VerifiedHTTPSConnection('www.google.com')
r = http_pool.urlopen('GET', '/', redirect=False)
print r.status, r.headers.get('location')
r = http_pool.urlopen('GET', '/', redirect=True)
print r.status, len(r.data)
Changing it to use:
http_pool = HTTPSConnectionPool('www.google.com', cert_reqs='CERT_REQUIRED', ca_certs='/etc/ssl/certs/ca-certificates.crt')
Results in urllib3 properly verifying certificates. python-urllib3 should use secure defaults and perform certificate verification unless an application author tells it not to. |
|