Comments (17)
Merely my own personal project, not on paid time for Beeper. (and occasionally because it's easier to experiment with new features in python)
from pypush.
You mean these ones?
from pypush.
Yep!
from pypush.
Well, lemme work on it I'll PR real quick.
from pypush.
Well, one domain that causes some trouble, is init-p01st.push.apple.com
.
The problem is, the hostname is not in the certificate hostnames:
$ openssl x509 -in init-p01st.push.apple.com.pem -noout -subject
subject=C = US, ST = Massachusetts, L = Cambridge, O = "Akamai Technologies, Inc.", CN = a248.e.akamai.net
Which of-course doesn't match the hostname. Hence, I don't think there is an option to actually verify the connection, as the certificate is just wrong.
from pypush.
You could still technically verify it, since it is a valid certificate (just for a different hostname), but probably not with Requests. Or am I missing something?
from pypush.
Well, yes, without requests, it will be in some way possible, maybe using urllib3
. But currently the program uses requests
so I don't know if we can use urllib3
.
from pypush.
I can currently push a PR for only specific domains, but there will be a couple with verify=False
.
from pypush.
Honestly, I'm kind of thinking that maybe it's better to leave pypush with verify=False, or at least leave a global "DEBUG" option. It's quite useful for debugging to be able to simply mitm the connection. I don't think anyone is really going to be using pypush in an environment where this is a concern?
from pypush.
Well I guess pypush is a demo program, so maybe you're right. But if pypush is going to be used as a base of something better, it's important to make security is at its best.
from pypush.
Well I guess pypush is a demo program, so maybe you're right. But if pypush is going to be used as a base of something better, it's important to make security is at its best.
That is Beeper's plan
from pypush.
Then I believe verifying certs should be implemented, at least partially.
from pypush.
Then I believe verifying certs should be implemented, at least partially.
We should find where Apple devices get the certs.
from pypush.
They're already been found. Apple probably verifies the certificates without hostname checks or in another way.
from pypush.
Beeper is rewriting pypush in GO, so they can do that there.
If you want to pin the certs, I've already done that in rustpush, look in https://github.com/TaeHagen/rustpush/tree/master/certs/root. All the certs you will need are there.
For the APNs connection, you have to validate the cert against a different hostname (without the number prefix). I do that in rust, not sure how the API's work in python.
from pypush.
Then why are commits still being pushed?
from pypush.
I think I'm going to just close this issue. Not pinning certificates actually makes it much easier for development, and this isn't meant to be used in production. Will be revisited if/when this ever gets pushed to pypi.
from pypush.
Related Issues (20)
- Relicense to a free license HOT 1
- No exception thrown if X64 slice is not found HOT 2
- Unable to find the public key of the sender, cannot verify HOT 1
- Trademark compliance
- Apple 2FA not supported? HOT 10
- SSPL License Issues HOT 9
- Validation data expired HOT 18
- No cert in response HOT 6
- demo stuck in Waiting for incoming messages HOT 7
- No learning documentation HOT 2
- messages failing to deliver
- Validation data expired!
- Participant identities being mistaken as fake accounts HOT 28
- Cat and Mouse? HOT 3
- No sending message (WARNING about his is probably not a real account) HOT 7
- I sent a message, but there was no response,and then I type anything but not works and I can't exit
- has been no response. HOT 18
- In the sync branch, can I set up a proxy for use? ? ?
- install issue
- 我愿意付费或雇佣寻找能够开发维护的人 HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pypush.