Have I found a security problem in an API or do I just not understand SSL?

Posted by jamieb on Stack Overflow See other posts from Stack Overflow or by jamieb
Published on 2010-12-22T17:37:49Z Indexed on 2010/12/23 7:54 UTC
Read the original article Hit count: 288

Filed under:
|

I'm working on building a set of Python bindings around an XML-based API provided by a vendor. The vendor requires that all transactions be conducted over SSL. Using a Linux box, I created a key file and a CSR for my application. Using their self-service web portal, I then generate a certificate using that CSR. Both the key file and the certificate are used when making the SSL request to the API.

I'm now working on designing exception classes to make error messages more verbose (and, hopefully, more useful to developers using my bindings). Part of my testing has included altering the key file: transpose a couple characters here, replace 4 or 5 with random characters there, etc. To my surprise, altering the key file had no effect! As long as I didn't change the total length of it, the API didn't complain about a bad key file. The only way I was able to throw an error was by swapping in a completely different key from another application. At that point, the API complained about the Common Name not matching.

Is this normal behavior or has the vendor not properly implemented SSL?

© Stack Overflow or respective owner

Related posts about security

Related posts about ssl