sjs/vdirsyncer
1
0
Fork 0
mirror of https://github.com/samsonjs/vdirsyncer.git synced 2026-04-08 11:15:52 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Improve documentation on verify_fingerprint

Browse source
This commit is contained in:
Markus Unterwaditzer 2015-04-10 17:32:34 +02:00
parent d85da54300
commit 1cbb8f2274
2 changed files with 14 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
docs/ssl-tutorial.rst
View file

@ -9,7 +9,9 @@ Vdirsyncer uses the requests_ library for all its HTTP and SSL interaction.
All SSL configuration is done per-storage. Storages that have anything to do
with SSL have two parameters: ``verify`` and ``verify_fingerprint``.
- The ``verify`` parameter determines whether to verify SSL certificates.
- The ``verify`` parameter determines whether to verify SSL certificates the
way browsers do: By comparing against a trust store, and by checking the
certificate's expiration date.
1. The default, ``true``, means that certificates will be validated against a
set of trusted CAs. See :ref:`ssl-cas`.
@ -36,15 +38,16 @@ with SSL have two parameters: ``verify`` and ``verify_fingerprint``.
...
verify_fingerprint = "94:FD:7A:CB:50:75:A4:69:82:0A:F8:23:DF:07:FC:69:3E:CD:90:CA"
Using it will effectively set ``verify=False``.
Using it will implicitly set ``verify=False``, which means that the pinned
certificate doesn't have to be by a trusted CA to be accepted by vdirsyncer.
.. _ssl-cas:
Trusted CAs
-----------
As said, vdirsyncer uses the requests_ library for such parts, which, by
default, `uses its own set of trusted CAs
As said, vdirsyncer uses the requests_ library, which, by default, `uses its
own set of trusted CAs
<http://www.python-requests.org/en/latest/user/advanced/#ca-certificates>`_.
However, the actual behavior depends on how you have installed it. Some Linux

9
vdirsyncer/utils/__init__.py
View file

@ -188,9 +188,14 @@ def _verify_fingerprint_works():
return False
# https://github.com/shazow/urllib3/pull/444
#
# Without the above pull request, `verify=False` also disables fingerprint
# validation. This is *not* what we want, and it's not possible to replicate
# vdirsyncer's current behavior (verifying fingerprints without verifying
# against CAs) with older versions of urllib3.
#
# We check this here instead of setup.py, because:
# - This is critical to security of `verify_fingerprint`, and Python's
# packaging stuff doesn't check installed versions.
# - Python's packaging stuff doesn't check installed versions.
# - The people who don't use `verify_fingerprint` wouldn't care.
VERIFY_FINGERPRINT_WORKS = _verify_fingerprint_works()
del _verify_fingerprint_works