Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Drop md5 and sha1 fingerprints #2267

Closed
asvetlov opened this issue Sep 12, 2017 · 7 comments · Fixed by #2535
Closed

Drop md5 and sha1 fingerprints #2267

asvetlov opened this issue Sep 12, 2017 · 7 comments · Fixed by #2535
Labels
outdated
Milestone
3.0

Comments

@asvetlov
Copy link
Member

Should be done in 3.0
@asvetlov asvetlov added this to the 3.0 milestone Sep 12, 2017
@asvetlov asvetlov mentioned this issue Oct 19, 2017
Closed
@oleksandr-kuzmenko
Copy link
Contributor

I can help with this

@redixin
Copy link
Contributor

redixin commented Oct 30, 2017

To extract signature hash algorithm we need to use either openssl or cryptography. Core library does not expose this information: https://docs.python.org/3/library/ssl.html#ssl.SSLSocket.getpeercert

@Alxpy @asvetlov ideas?

@Alxpy are you still interested in this issue?

@asvetlov
Copy link
Member Author

We use getpeercert(binary_form=True), everything works fine for years

@redixin
Copy link
Contributor

redixin commented Oct 30, 2017

Sorry I misunderstood what exactly is needed. I thought you want to disallow client connections to https servers where md5|sha1 was used to sign certificate by CA.

So you want to disallow sha1|md5 while checking fingerprint as described here?

# Attempt to connect to https://www.python.org
# with a pin to a bogus certificate:
bad_fingerprint = b'0'*64
exc = None
try:
    r = await session.get('https://www.python.org',
                          fingerprint=bad_fingerprint)
except aiohttp.FingerprintMismatch as e:
    exc = e
assert exc is not None
assert exc.expected == bad_fingerprint

# www.python.org cert's actual fingerprint
assert exc.got == b'...'

Looks like its enough to raise (instead of warning) something from aiohttp/client_exceptions.py in this piece:

aiohttp/aiohttp/client_reqrep.py

Line 348 in 20362c5

warnings.warn('md5 and sha1 are insecure and deprecated. '

Should new exception be created? Like InsecureFingerprintHash(ClientSSLError)

@asvetlov
Copy link
Member Author

I think ValueError is enough.

@oleksandr-kuzmenko
Copy link
Contributor

@redixin yes, I'm interested in this issue, I'll do it on the weekend

asvetlov added a commit that referenced this issue Nov 19, 2017
@asvetlov
Fix #2267: Drop md5 and sha1 fingerprints
50d07eb
@asvetlov asvetlov mentioned this issue Nov 19, 2017
Merged
asvetlov added a commit that referenced this issue Nov 19, 2017
@asvetlov
Drop md5 and sha1 fingerprints (#2535)
8e7985a 
* Fix #2267: Drop md5 and sha1 fingerprints

* Add missing changenote

* Fix spelling
@lock
Copy link

lock bot commented Oct 28, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a [new issue] for related bugs.
If you feel like there's important points made in this discussion, please include those exceprts into that [new issue].
[new issue]: https://github.com/aio-libs/aiohttp/issues/new

@lock lock bot added the outdated label Oct 28, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Oct 28, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
outdated
Projects
None yet
Milestone
3.0
Development

Successfully merging a pull request may close this issue.

Drop md5 and sha1 fingerprints aio-libs/aiohttp
3 participants
@redixin @asvetlov @oleksandr-kuzmenko