Validate TLS certificate

Warning

This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.

The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject’s (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

See also the PEP 476 – Enabling certificate verification by default for stdlib http clients and PEP 466: Network Security Enhancements for Python 2.7.x.

Dates:

  • Disclosure date: 2014-08-28 (PEP 476 created)
  • Reported by: Alex Gaynor (PEP 476 author)

Fixed In

Python issue

PEP 476: verify HTTPS certificates by default.

  • Python issue: bpo-22417
  • Creation date: 2014-09-15
  • Reporter: Nick Coghlan

CVE-2014-9365

The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject’s (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. <a href=”http://cwe.mitre.org/data/definitions/295.html”>CWE-295: Improper Certificate Validation</a>

Timeline

Timeline using the disclosure date 2014-08-28 as reference:

  • 2014-08-28: Disclosure date (PEP 476 created)
  • 2014-09-15 (+18 days): Python issue bpo-22417 reported by Nick Coghlan
  • 2014-11-03 (+67 days): commit 4ffb075 (branch 3.4)
  • 2014-11-24 (+88 days): commit e3e7d40 (branch 2.7)
  • 2014-12-10 (+104 days): Python 2.7.9 released
  • 2014-12-12 (+106 days): CVE-2014-9365 published
  • 2015-02-25 (+181 days): Python 3.4.3 released
  • 2015-09-12: Python 3.5.0 released