The following program (based on http://code.google.com/p/urllib3/wiki/Examples) can be easily MITMd:
#!/usr/bin/python
from urllib3 import HTTPSConnectionPool
http_pool = VerifiedHTTPSConnection('www.google.com')
r = http_pool.urlopen('GET', '/', redirect=False)
print r.status, r.headers.get('location')
r = http_pool.urlopen('GET', '/', redirect=True)
print r.status, len(r.data)
Changing it to use:
http_pool = HTTPSConnectionPool('www.google.com', strict=False, cert_reqs='CERT_REQUIRED', ca_certs='/etc/ssl/certs/ca-certificates.crt')
Results in urllib3 properly verifying certificates. python-urllib3 should use secure defaults and perform certificate verification unless an application author tells it not to.
The following program (based on http:// code.google. com/p/urllib3/ wiki/Examples) can be easily MITMd: nnection( 'www.google. com') urlopen( 'GET', '/', redirect=False) get('location' ) urlopen( 'GET', '/', redirect=True)
#!/usr/bin/python
from urllib3 import HTTPSConnectionPool
http_pool = VerifiedHTTPSCo
r = http_pool.
print r.status, r.headers.
r = http_pool.
print r.status, len(r.data)
Changing it to use: Pool('www. google. com', strict=False, cert_reqs= 'CERT_REQUIRED' , ca_certs= '/etc/ssl/ certs/ca- certificates. crt')
http_pool = HTTPSConnection
Results in urllib3 properly verifying certificates. python-urllib3 should use secure defaults and perform certificate verification unless an application author tells it not to.