Verify TLS certificates about pypush HOT 17 CLOSED

Merely my own personal project, not on paid time for Beeper. (and occasionally because it's easier to experiment with new features in python)

from pypush.

You mean these ones?

from pypush.

Yep!

from pypush.

Well, lemme work on it I'll PR real quick.

from pypush.

Well, one domain that causes some trouble, is init-p01st.push.apple.com.
The problem is, the hostname is not in the certificate hostnames:

$ openssl x509 -in init-p01st.push.apple.com.pem -noout -subject
subject=C = US, ST = Massachusetts, L = Cambridge, O = "Akamai Technologies, Inc.", CN = a248.e.akamai.net

Which of-course doesn't match the hostname. Hence, I don't think there is an option to actually verify the connection, as the certificate is just wrong.

from pypush.

You could still technically verify it, since it is a valid certificate (just for a different hostname), but probably not with Requests. Or am I missing something?

from pypush.

Well, yes, without requests, it will be in some way possible, maybe using urllib3. But currently the program uses requests so I don't know if we can use urllib3.

from pypush.

I can currently push a PR for only specific domains, but there will be a couple with verify=False.

from pypush.

Honestly, I'm kind of thinking that maybe it's better to leave pypush with verify=False, or at least leave a global "DEBUG" option. It's quite useful for debugging to be able to simply mitm the connection. I don't think anyone is really going to be using pypush in an environment where this is a concern?

from pypush.

Well I guess pypush is a demo program, so maybe you're right. But if pypush is going to be used as a base of something better, it's important to make security is at its best.

from pypush.

Well I guess pypush is a demo program, so maybe you're right. But if pypush is going to be used as a base of something better, it's important to make security is at its best.

That is Beeper's plan

from pypush.

Then I believe verifying certs should be implemented, at least partially.

from pypush.

Then I believe verifying certs should be implemented, at least partially.

We should find where Apple devices get the certs.

from pypush.

They're already been found. Apple probably verifies the certificates without hostname checks or in another way.

from pypush.

Beeper is rewriting pypush in GO, so they can do that there.

If you want to pin the certs, I've already done that in rustpush, look in https://github.com/TaeHagen/rustpush/tree/master/certs/root. All the certs you will need are there.

For the APNs connection, you have to validate the cert against a different hostname (without the number prefix). I do that in rust, not sure how the API's work in python.

from pypush.

Then why are commits still being pushed?

from pypush.

I think I'm going to just close this issue. Not pinning certificates actually makes it much easier for development, and this isn't meant to be used in production. Will be revisited if/when this ever gets pushed to pypi.

from pypush.