FAQ
Hi,

I'm trying to build a system using HTTPS with python clients that have
to verify the server's identity. From the Python document, it seems that
the server's certificate is not veryfied, and authentication can only be
in the other way (client authentication).
I know usually users only click on 'yes I trust this certificate', but
what if you really care (this is my case)?

I tried to see if the M2Crypto has this possibility, but from my tests
and from what I can find on the website, it seems not :/

Can someone confirm me this is not possible or point me to something
that could help me?

Thanks,
Marc

Search Discussions

  • Ng Pheng Siong at Jan 31, 2005 at 4:29 pm

    According to Marc Poulhi?s <marc.poulhiesNO-SP4M at epfl.ch>:
    I tried to see if the M2Crypto has this possibility, but from my tests
    and from what I can find on the website, it seems not :/
    How did you test and where on the website does it say not?
    Can someone confirm me this is not possible or point me to something
    that could help me?
    M2Crypto does server cert verification. With M2Crypto's httpslib, you pass
    in an SSL.Context instance to the HTTPSConnection constructor to configure
    the SSL; one of the config knobs is cert verification. So, redo your test,
    satisfy yourself that this is doable, and send me your code to include as
    an example in the distribution. ;-)

    M2Crypto even does client certs. Since Apr 2000, according to the very last
    blog entry on the ZServerSSL page.


    --
    Ng Pheng Siong <ngps at netmemetic.com>

    http://sandbox.rulemaker.net/ngps -+- M2Crypto, ZServerSSL for Zope, Blog
    http://www.sqlcrypt.com -+- Database Engine with Transparent AES Encryption
  • Marc Poulhiès at Jan 31, 2005 at 4:41 pm
    ngps at netmemetic.com (Ng Pheng Siong) writes:

    Hi,
    According to Marc Poulhi?s <marc.poulhiesNO-SP4M at epfl.ch>:
    I tried to see if the M2Crypto has this possibility, but from my tests
    and from what I can find on the website, it seems not :/
    How did you test and where on the website does it say not?
    I did things like this:
    con = M2Crypto.httpslib.HTTPSConnection("some_secure_server")
    con.request("GET" , "/")

    I tried to play with optional parameters (strict, debuglevel, etc) to
    see if it was saying that it will not check server's CRT or some other
    debug message dealing with server's certificate, but it is always
    returning the webpage without saying anything :)

    I did not say that M2C's doc stated clearly that this was not possible
    (that's why I wrote "seems"), but I couldn't find something stating it
    was possible (I tried google, API docs).
    Can someone confirm me this is not possible or point me to something
    that could help me?
    M2Crypto does server cert verification. With M2Crypto's httpslib, you pass
    in an SSL.Context instance to the HTTPSConnection constructor to configure
    the SSL; one of the config knobs is cert verification. So, redo your test,
    satisfy yourself that this is doable, and send me your code to include as
    an example in the distribution. ;-)
    Ok, sorry for that. Maybe that with more readings I could have spotted
    this. I'll try that tomorrow and give my code if I have something
    working!

    M2Crypto even does client certs. Since Apr 2000, according to the very last
    blog entry on the ZServerSSL page.
    Yes, I did try this and have my client authenticated to the server.

    Thanks for this quick and clear answer ;)

    Marc
  • Marc Poulhiès at Feb 1, 2005 at 8:44 am

    Marc Poulhi?s <marc.poulhies at NO-SP4Mepfl.ch> writes:

    ngps at netmemetic.com (Ng Pheng Siong) writes:
    M2Crypto does server cert verification. With M2Crypto's httpslib, you pass
    in an SSL.Context instance to the HTTPSConnection constructor to configure
    the SSL; one of the config knobs is cert verification. So, redo your test,
    satisfy yourself that this is doable, and send me your code to include as
    an example in the distribution. ;-)
    Hi again!

    So here are few lines that do server's CRT check. I still have one
    question: see in the code. Both have the exact same description on
    the documentation.

    Btw, thanks for your answer (this will save me from using Perl!)
    Marc

    ---8<-------8<-------8<-------8<----
    #!/usr/bin/env python
    import M2Crypto

    ctx = M2Crypto.SSL.Context()

    ## what are the diff between these two??
    #ctx.load_verify_info(cafile="/tmp/ca.crt")
    ctx.load_verify_locations(cafile="/tmp/ca.crt")

    # load client certificate (used to authenticate the client)
    ctx.load_cert("/tmp/client.crt")

    # stop if peer's certificate can't be verified
    ctx.set_allow_unknown_ca(False)

    # verify peer's certificate
    ctx.set_verify(M2Crypto.SSL.verify_peer, 1)

    con = M2Crypto.httpslib.HTTPSConnection("my.ssl.server.domain",ssl_context=ctx)

    con.request("GET" , "/")
    print con.getresponse().read()
    ---8<-------8<-------8<-------8<-----

    Result here:
    $ ./ssl_peer_verif.py
    Enter passphrase:
    send: 'GET / HTTP/1.1\r\nHost: my.ssl.server.domain:443\r\nAccept-Encoding: identity\r\n\r\n'
    reply: 'HTTP/1.1 200 OK\r\n'
    header: Date: Tue, 01 Feb 2005 08:41:51 GMT
    header: Server: Apache/2.0.46 (Red Hat)
    header: Last-Modified: Mon, 31 Jan 2005 14:50:50 GMT
    header: ETag: "4297-13-24658680"
    header: Accept-Ranges: bytes
    header: Content-Length: 19
    header: Connection: close
    header: Content-Type: text/html; charset=UTF-8
    THIS IS WORKING =)
  • Ng Pheng Siong at Feb 1, 2005 at 10:04 pm

    According to Marc Poulhi?s <marc.poulhies at NO-SP44Mepfl.ch>:
    Btw, thanks for your answer (this will save me from using Perl!)
    You're welcome.
    ## what are the diff between these two??
    #ctx.load_verify_info(cafile="/tmp/ca.crt")
    ctx.load_verify_locations(cafile="/tmp/ca.crt")
    None. One is an alias for the other, to adhere to OpenSSL's naming
    convention.
    $ ./ssl_peer_verif.py
    Enter passphrase:
    send: 'GET / HTTP/1.1\r\nHost:
    my.ssl.server.domain:443\r\nAccept-Encoding: identity\r\n\r\n'
    reply: 'HTTP/1.1 200 OK\r\n'
    header: Date: Tue, 01 Feb 2005 08:41:51 GMT
    header: Server: Apache/2.0.46 (Red Hat)
    header: Last-Modified: Mon, 31 Jan 2005 14:50:50 GMT
    header: ETag: "4297-13-24658680"
    header: Accept-Ranges: bytes
    header: Content-Length: 19
    header: Connection: close
    header: Content-Type: text/html; charset=UTF-8
    THIS IS WORKING =)
    Excellent! ;-)


    --
    Ng Pheng Siong <ngps at netmemetic.com>

    http://sandbox.rulemaker.net/ngps -+- M2Crypto, ZServerSSL for Zope, Blog
    http://www.sqlcrypt.com -+- Database Engine with Transparent AES Encryption

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppython-list @
categoriespython
postedJan 31, '05 at 3:48p
activeFeb 1, '05 at 10:04p
posts5
users4
websitepython.org

People

Translate

site design / logo © 2022 Grokbase