Validation of X.509 certificates is essential to create secure SSL/TLS sessions not vulnerable to man-in-the-middle attacks.
The certificate chain validation includes these steps:
It's not recommended to reinvent the wheel by implementing custom certificate chain validation.
TLS libraries provide built-in certificate validation functions that should be used.
psf/requests library:
import requests
requests.request('GET', 'https://example.domain', verify=False) # Noncompliant
requests.get('https://example.domain', verify=False) # Noncompliant
Python ssl standard library:
import ssl ctx1 = ssl._create_unverified_context() # Noncompliant: by default certificate validation is not done ctx2 = ssl._create_stdlib_context() # Noncompliant: by default certificate validation is not done ctx3 = ssl.create_default_context() ctx3.verify_mode = ssl.CERT_NONE # Noncompliant
pyca/pyopenssl library:
from OpenSSL import SSL ctx1 = SSL.Context(SSL.TLSv1_2_METHOD) # Noncompliant: by default certificate validation is not done ctx2 = SSL.Context(SSL.TLSv1_2_METHOD) ctx2.set_verify(SSL.VERIFY_NONE, verify_callback) # Noncompliant
psf/requests library:
import requests
requests.request('GET', 'https://example.domain', verify=True)
requests.request('GET', 'https://example.domain', verify='/path/to/CAbundle')
requests.get(url='https://example.domain') # by default certificate validation is enabled
Python ssl standard library:
import ssl ctx = ssl.create_default_context() ctx.verify_mode = ssl.CERT_REQUIRED ctx = ssl._create_default_https_context() # by default certificate validation is enabled
pyca/pyopenssl library:
from OpenSSL import SSL ctx = SSL.Context(SSL.TLSv1_2_METHOD) ctx.set_verify(SSL.VERIFY_PEER, verify_callback) # Compliant ctx.set_verify(SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback) # Compliant ctx.set_verify(SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT | SSL.VERIFY_CLIENT_ONCE, verify_callback) # Compliant