You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
we decided that one big pile [of garbage] Is better than two little piles, and rather than bring that one up we decided to throw ours down.
— Arlo Gurthrie, "Alice's Restaurant"
We currently verify hostnames using the service_identity python library, but doing this is part of the verification process, which is OpenSSL's job as long as we're using OpenSSL for TLS. We also do weird shenanigans with the info callback rather than just letting verification proceed as normal, and it's generally quite confusing and squirrely, which is bad for security-critical code.
Doing this the right way is blocked by this pyOpenSSL issue, but in a comment there is a reference to the hostname logic in mitmproxy, which just calls the OpenSSL functions directly without waiting for pyOpenSSL to wrap them properly; we might want to do the same thing.
The text was updated successfully, but these errors were encountered:
— Arlo Gurthrie, "Alice's Restaurant"
We currently verify hostnames using the
service_identity
python library, but doing this is part of the verification process, which is OpenSSL's job as long as we're using OpenSSL for TLS. We also do weird shenanigans with the info callback rather than just letting verification proceed as normal, and it's generally quite confusing and squirrely, which is bad for security-critical code.Doing this the right way is blocked by this pyOpenSSL issue, but in a comment there is a reference to the hostname logic in mitmproxy, which just calls the OpenSSL functions directly without waiting for pyOpenSSL to wrap them properly; we might want to do the same thing.
The text was updated successfully, but these errors were encountered: