Mailing List Archive: [issue2838] Verify callback for SSL

[issue2838] Verify callback for SSL

May 12, 2008, 11:00 AM

Post #1 of 5 (584 views)

New submission from Ruben Kerkhof <ruben@rubenkerkhof.com>:

I've been playing with the new SSL module, and so far it works great.

However, when using it to connect to a host with a self signed
certificate, verification fails when I specify ssl.CERT_REQUIRED (as
expected).

I know that I'm connecting to a host with a self signed certificate, so
I want to be able to ignore that error. At the moment, the only option I
see is to specify ssl.CERT_NONE and verify the DER certificate by hand.

It would be great if I could specify a callback function that can ignore
certain errors, and does additional checking.

----------
components: Library (Lib)
messages: 66746
nosy: ruben
severity: normal
status: open
title: Verify callback for SSL
type: feature request
versions: Python 2.6

__________________________________
Tracker <report@bugs.python.org>
<http://bugs.python.org/issue2838>
__________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/list-python-bugs%40lists.gossamer-threads.com

[issue2838] Verify callback for SSL [ In reply to ]

report at bugs

May 14, 2008, 8:19 AM

Post #2 of 5 (546 views)

Permalink

Bill Janssen <bill.janssen@gmail.com> added the comment:

On the client side, are you passing a ca_certs file with the self-signed
certificate in it? If not, the library won't be able to validate the
certificate enough to be able to see the data in it. But if you do
that, you should be able to see the bits of the certificate. There's no
point to seeing the bits of an unvalidated certificate, because they may
be forged. So the library doesn't allow you to see the bits of an
unvalidated certificate from the other side of the connection.

----------
assignee: -> janssen
nosy: +janssen

__________________________________
Tracker <report@bugs.python.org>
<http://bugs.python.org/issue2838>
__________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/list-python-bugs%40lists.gossamer-threads.com

[issue2838] Verify callback for SSL [ In reply to ]

report at bugs

May 14, 2008, 12:51 PM

Post #3 of 5 (548 views)

Permalink

Ruben Kerkhof <ruben@rubenkerkhof.com> added the comment:

Hi Bill,

When I include the server certificate in ca_certs, verification
succeeds, and I can view the peer certificate dict with getpeercert(False)

When I set ca_certs to none and ssl.CERT_NONE, I can still call
getpeercert(True) and call DER_cert_to_PEM_cert to get the same PEM
certificate.

SSL is all new to me, so forgive me if I talk nonsense, but what I'm
trying to do is the following:

I receive a key from Bob which is a digest of his servers certificate.
To make sure I'm really talking to Bob I need to decrypt his servers
signature with his public key and check the resulting digest against my
key. So I have to ignore failures like
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT and
X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, but detect things like
X509_V_ERR_CERT_SIGNATURE_FAILURE.

The idea is based on what foolscap is doing with FURLS
(http://foolscap.lothar.com/trac)

Am I making sense?

__________________________________
Tracker <report@bugs.python.org>
<http://bugs.python.org/issue2838>
__________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/list-python-bugs%40lists.gossamer-threads.com

[issue2838] Verify callback for SSL [ In reply to ]

report at bugs

May 14, 2008, 2:57 PM

Post #4 of 5 (546 views)

Permalink

Bill Janssen <bill.janssen@gmail.com> added the comment:

Yep, it looks like you're on the right track. I'll close this bug.

Bill

On Wed, May 14, 2008 at 12:51 PM, Ruben Kerkhof <report@bugs.python.org>
wrote:

>
> Ruben Kerkhof <ruben@rubenkerkhof.com> added the comment:
>
> Hi Bill,
>
> When I include the server certificate in ca_certs, verification
> succeeds, and I can view the peer certificate dict with getpeercert(False)
>
> When I set ca_certs to none and ssl.CERT_NONE, I can still call
> getpeercert(True) and call DER_cert_to_PEM_cert to get the same PEM
> certificate.
>
> SSL is all new to me, so forgive me if I talk nonsense, but what I'm
> trying to do is the following:
>
> I receive a key from Bob which is a digest of his servers certificate.
> To make sure I'm really talking to Bob I need to decrypt his servers
> signature with his public key and check the resulting digest against my
> key. So I have to ignore failures like
> X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT and
> X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, but detect things like
> X509_V_ERR_CERT_SIGNATURE_FAILURE.
>
> The idea is based on what foolscap is doing with FURLS
> (http://foolscap.lothar.com/trac)
>
> Am I making sense?
>
> __________________________________
> Tracker <report@bugs.python.org>
> <http://bugs.python.org/issue2838>
> __________________________________
>

Added file: http://bugs.python.org/file10323/unnamed

__________________________________
Tracker <report@bugs.python.org>
<http://bugs.python.org/issue2838>
__________________________________

[issue2838] Verify callback for SSL [ In reply to ]

report at bugs

May 14, 2008, 2:58 PM

Post #5 of 5 (543 views)

Permalink

Changes by Bill Janssen <bill.janssen@gmail.com>:

----------
resolution: -> works for me
status: open -> closed

__________________________________
Tracker <report@bugs.python.org>
<http://bugs.python.org/issue2838>
__________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/list-python-bugs%40lists.gossamer-threads.com

Mailing List Archive

Mailing List Archive

Attached Files: