That led to reports of several security flaws over time, and the assignment of CVE-2014-9365 for the lack of certificate verification in the Python standard library HTTP clients.
The package management tools in Red Hat Enterprise Linux can be used as an example: the Yum package manager used in Red Hat Enterprise Linux 5, 6, and 7 uses the python-pycurl module, a wrapper around the curl/libcurl library, which performs certificate verification the up2date package manager as used in Red Hat Enterprise Linux 4 and earlier implemented certificate verification using the m2crypto module.Įven though this limitation was well known, many application authors were not aware of it or assumed all expected checks were performed. This lack of certificate verification was well known and usually worked around in relevant use cases by having verification implemented in applications or by using different HTTP client libraries that performed certificate verification. This could allow Man-In-The-Middle (MITM) attackers to easily hijack HTTPS connections from Python clients to eavesdrop or modify transferred data. While these modules support HTTPS connections, they traditionally performed no verification of certificates presented by HTTPS servers, and offered no way to easily enable such verification. The Python standard library includes multiple modules that provide HTTP client functionality, including httplib, urllib, urllib2, and xmlrpclib. Modifying Python programs to control certificate verification.Troubleshooting certificate verification.Controlling and troubleshooting certificate verification.
0 kommentar(er)
