Is python's ssl.get_server_certificate safe?

Question

More specifically, if I run the following code:

import ssl

cert = """-----BEGIN CERTIFICATE-----
MIIF0zCCBTygAwIBAgIKQ8cwCQAAAABhvzANBgkqhkiG9w0BAQUFADBGMQswCQYD
VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu
dGVybmV0IEF1dGhvcml0eTAeFw0xMjA2MjcxMzU4MzBaFw0xMzA2MDcxOTQzMjda
MGYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRUwEwYDVQQDFAwqLmdv
b2dsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALDYfDe83LlAxJ3T
+IwJLyXBmT2WcSTY2asm3q8Yl9EaUGmu0enmWkwUyiL7HybwTAZXFccanuEvI3+B
e5SMvv8Nj1/HHH2XvsP6wNnPuN9R9aaFLTdFrUVtPqbIXyaJVkUKEnxeBbOKgliD
I11FQL3Xj3Ktd09atKZJVpPT61QLAgMBAAGjggOmMIIDojAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFOJAaGs7fvzmsw8gpn/NASXlHJLR
MB8GA1UdIwQYMBaAFL/AMOv1QxE+Z7qekfv8atrjaxIkMFsGA1UdHwRUMFIwUKBO
oEyGSmh0dHA6Ly93d3cuZ3N0YXRpYy5jb20vR29vZ2xlSW50ZXJuZXRBdXRob3Jp
dHkvR29vZ2xlSW50ZXJuZXRBdXRob3JpdHkuY3JsMGYGCCsGAQUFBwEBBFowWDBW
BggrBgEFBQcwAoZKaHR0cDovL3d3dy5nc3RhdGljLmNvbS9Hb29nbGVJbnRlcm5l
dEF1dGhvcml0eS9Hb29nbGVJbnRlcm5ldEF1dGhvcml0eS5jcnQwDAYDVR0TAQH/
BAIwADCCAmwGA1UdEQSCAmMwggJfggwqLmdvb2dsZS5jb22CCmdvb2dsZS5jb22C
DSoueW91dHViZS5jb22CC3lvdXR1YmUuY29tghYqLnlvdXR1YmUtbm9jb29raWUu
Y29tggh5b3V0dS5iZYILKi55dGltZy5jb22CDyouZ29vZ2xlLmNvbS5icoIOKi5n
b29nbGUuY28uaW6CCyouZ29vZ2xlLmVzgg4qLmdvb2dsZS5jby51a4ILKi5nb29n
bGUuY2GCCyouZ29vZ2xlLmZyggsqLmdvb2dsZS5wdIILKi5nb29nbGUuaXSCCyou
Z29vZ2xlLmRlggsqLmdvb2dsZS5jbIILKi5nb29nbGUucGyCCyouZ29vZ2xlLm5s
gg8qLmdvb2dsZS5jb20uYXWCDiouZ29vZ2xlLmNvLmpwggsqLmdvb2dsZS5odYIP
Ki5nb29nbGUuY29tLm14gg8qLmdvb2dsZS5jb20uYXKCDyouZ29vZ2xlLmNvbS5j
b4IPKi5nb29nbGUuY29tLnZugg8qLmdvb2dsZS5jb20udHKCDSouYW5kcm9pZC5j
b22CC2FuZHJvaWQuY29tghQqLmdvb2dsZWNvbW1lcmNlLmNvbYISZ29vZ2xlY29t
bWVyY2UuY29tghAqLnVybC5nb29nbGUuY29tggwqLnVyY2hpbi5jb22CCnVyY2hp
bi5jb22CFiouZ29vZ2xlLWFuYWx5dGljcy5jb22CFGdvb2dsZS1hbmFseXRpY3Mu
Y29tghIqLmNsb3VkLmdvb2dsZS5jb22CBmdvby5nbIIEZy5jb4INKi5nc3RhdGlj
LmNvbTANBgkqhkiG9w0BAQUFAAOBgQB9KkvLwBX4q9xjOt6T3xDYiiI3TrFI73us
xE/ZbvW4v8Bd+rcWMrmt25th1KHZd9Lobxt+nAK8+5J32ViEWl00p6E2tgNNUvpI
HfNRecBebuU9B2wmCDYWavqkifCiH8EkCu3roXZjoSvKIvq1NW10YF0CaDSEtd/Z
RdMdo5TaEA==
-----END CERTIFICATE-----
"""

if cert == ssl.get_server_certificate(('google.com',443)):
    print "Valid"
else:
    print "Invalid"

where cert is the text gained by running ssl.get_server_certificate(('google.com',443)) previously.

I want to know if it is safe to assume that this code will validate that I am connecting to a server with the same certificate as before.

Or is it possible to spoof that certificate?

Note that I don't care about the common name on the certificate.

Answer 1

Considering what I read from the docs , I can see that this might not be completely safe. You need to specify the list of root certificates using ca_certs as a parameter. Then, the ssl module will take care of the verification process for you.

Some of the problems with your method might be:

1. Every certificate has notBefore and notAfter fields. We should alway check to make sure the current date is between these two values. Your code does not do that verification which is not recommended.
2. Say, the web server begins to use another CA for its certificates. Then, your code will result in a false positive and you lose functionality in this case.
3. In case any CA gets revoked, there is no way for your code to handle this.

So, I think it is best to let the ssl module handle the verification process instead of us meddling with it.