FAQ
Hi, I'm a new python user and I'm writing a small web service with ssl.
I want use a self-signed certificate like in wiki:
http://docs.python.org/dev/library/ssl.html#certificates
I've used wrap_socket, but if i try to use
cert_reqs=ssl.CERT_REQUIRED, it doesn't work with error:

urllib2.URLError: <urlopen error _ssl.c:326: No root certificates
specified for verification of other-side certificates.>

It works only with CERT_NONE (the default) but with this option i
could access to the service in insicure mode.

Have you some suggestions for my service?

Thanks. Regards.

--
Andrea Di Mario

Search Discussions

  • Jean-Paul Calderone at Jul 5, 2011 at 2:08 pm

    On Jul 5, 4:52?am, Andrea Di Mario wrote:
    Hi, I'm a new python user and I'm writing a small web service with ssl.
    I want use a self-signed certificate like in wiki:http://docs.python.org/dev/library/ssl.html#certificates
    I've used wrap_socket, but if i try to use
    cert_reqs=ssl.CERT_REQUIRED, it doesn't work with error:

    urllib2.URLError: <urlopen error _ssl.c:326: No root certificates
    specified for verification of other-side certificates.>

    It works only with CERT_NONE (the default) but with this option i
    could access to the service in insicure mode.

    Have you some suggestions for my service?
    Also specify some root certificates to use in verifying the peer's
    certificate. Certificate verification works by proceeding from a
    collection of "root" certificates which are explicitly trusted. These
    are used to sign other certificates (which may in turn be used to sign
    others, which in turn...). The process of certificate verification is
    the process of following the signatures from the certificate in use by
    the server you connect to back up the chain until you reach a root
    which you have either decided to trust or not. If the signatures are
    all valid and the root is one you trust, then you have established a
    connection to a trusted entity. If any signature is invalid, or the
    root is not one you trust, then you have not.

    The root certificates are also called the "ca certificates" or
    "certificate authority certificates". `wrap_socket` accepts a
    `ca_certs` argument. See http://docs.python.org/library/ssl.html#ssl-certificates
    for details about that argument.

    Jean-Paul
  • AndDM at Jul 6, 2011 at 8:44 am

    On Jul 5, 4:08?pm, Jean-Paul Calderone wrote:
    On Jul 5, 4:52?am, Andrea Di Mario wrote:

    Hi, I'm a new python user and I'm writing a small web service with ssl.
    I want use a self-signed certificate like in wiki:http://docs.python.org/dev/library/ssl.html#certificates
    I've used wrap_socket, but if i try to use
    cert_reqs=ssl.CERT_REQUIRED, it doesn't work with error:
    urllib2.URLError: <urlopen error _ssl.c:326: No root certificates
    specified for verification of other-side certificates.>
    It works only with CERT_NONE (the default) but with this option i
    could access to the service in insicure mode.
    Have you some suggestions for my service?
    Also specify some root certificates to use in verifying the peer's
    certificate. ?Certificate verification works by proceeding from a
    collection of "root" certificates which are explicitly trusted. ?These
    are used to sign other certificates (which may in turn be used to sign
    others, which in turn...). ?The process of certificate verification is
    the process of following the signatures from the certificate in use by
    the server you connect to back up the chain until you reach a root
    which you have either decided to trust or not. ?If the signatures are
    all valid and the root is one you trust, then you have established a
    connection to a trusted entity. ?If any signature is invalid, or the
    root is not one you trust, then you have not.

    The root certificates are also called the "ca certificates" or
    "certificate authority certificates". ?`wrap_socket` accepts a
    `ca_certs` argument. ?Seehttp://docs.python.org/library/ssl.html#ssl-certificates
    for details about that argument.

    Jean-Paul
    Hi Jean-Paul, i thought that with self-signed certificate i shouldn't
    use ca_certs option. Now, i've created a ca-authority and i use this
    command:

    self.sock = ssl.wrap_socket(sock, certfile = "ca/certs/
    myfriend.cert.pem", keyfile = "ca/private/myfriend.key.pem",
    ca_certs="/home/andrea/ca/certs/cacert.pem",
    cert_reqs=ssl.CERT_REQUIRED)

    When i use the some machine as client-server it works, but, when i use
    another machine as client, i've this:

    Traceback (most recent call last):
    ? File "loginsender.py", line 48, in <module>
    ? ? handle = url_opener.open('https://debian.andrea.it:10700/%s+%s' %
    (DATA,IPIN))
    ? File "/usr/lib/python2.6/urllib2.py", line 391, in open
    ? ? response = self._open(req, data)
    ? File "/usr/lib/python2.6/urllib2.py", line 409, in _open
    ? ? '_open', req)
    ? File "/usr/lib/python2.6/urllib2.py", line 369, in _call_chain
    ? ? result = func(*args)
    ? File "loginsender.py", line 33, in https_open
    ? ? return self.do_open(self.specialized_conn_class, req)
    ? File "/usr/lib/python2.6/urllib2.py", line 1145, in do_open
    ? ? raise URLError(err)
    urllib2.URLError: <urlopen error [Errno 185090050] _ssl.c:328: error:
    0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib>

    I see that i should create a certificate with server, client and ca
    autority, but i haven't clear the ca_certs option and which path i
    should use.
    Have you any suggestion?

    Thank. Regards.
  • Jean-Paul Calderone at Jul 6, 2011 at 1:53 pm

    On Jul 6, 4:44?am, AndDM wrote:
    On Jul 5, 4:08?pm, Jean-Paul Calderone wrote:


    On Jul 5, 4:52?am, Andrea Di Mario wrote:

    Hi, I'm a new python user and I'm writing a small web service with ssl.
    I want use a self-signed certificate like in wiki:http://docs.python.org/dev/library/ssl.html#certificates
    I've used wrap_socket, but if i try to use
    cert_reqs=ssl.CERT_REQUIRED, it doesn't work with error:
    urllib2.URLError: <urlopen error _ssl.c:326: No root certificates
    specified for verification of other-side certificates.>
    It works only with CERT_NONE (the default) but with this option i
    could access to the service in insicure mode.
    Have you some suggestions for my service?
    Also specify some root certificates to use in verifying the peer's
    certificate. ?Certificate verification works by proceeding from a
    collection of "root" certificates which are explicitly trusted. ?These
    are used to sign other certificates (which may in turn be used to sign
    others, which in turn...). ?The process of certificate verification is
    the process of following the signatures from the certificate in use by
    the server you connect to back up the chain until you reach a root
    which you have either decided to trust or not. ?If the signatures are
    all valid and the root is one you trust, then you have established a
    connection to a trusted entity. ?If any signature is invalid, or the
    root is not one you trust, then you have not.
    The root certificates are also called the "ca certificates" or
    "certificate authority certificates". ?`wrap_socket` accepts a
    `ca_certs` argument. ?Seehttp://docs.python.org/library/ssl.html#ssl-certificates
    for details about that argument.
    Jean-Paul
    Hi Jean-Paul, i thought that with self-signed certificate i shouldn't
    use ca_certs option. Now, i've created a ca-authority and i use this
    command:

    ?self.sock = ssl.wrap_socket(sock, certfile = "ca/certs/
    myfriend.cert.pem", keyfile = "ca/private/myfriend.key.pem",
    ca_certs="/home/andrea/ca/certs/cacert.pem",
    cert_reqs=ssl.CERT_REQUIRED)

    When i use the some machine as client-server it works, but, when i use
    another machine as client, i've this:

    Traceback (most recent call last):
    ? File "loginsender.py", line 48, in <module>
    ? ? handle = url_opener.open('https://debian.andrea.it:10700/%s+%s'%
    (DATA,IPIN))
    ? File "/usr/lib/python2.6/urllib2.py", line 391, in open
    ? ? response = self._open(req, data)
    ? File "/usr/lib/python2.6/urllib2.py", line 409, in _open
    ? ? '_open', req)
    ? File "/usr/lib/python2.6/urllib2.py", line 369, in _call_chain
    ? ? result = func(*args)
    ? File "loginsender.py", line 33, in https_open
    ? ? return self.do_open(self.specialized_conn_class, req)
    ? File "/usr/lib/python2.6/urllib2.py", line 1145, in do_open
    ? ? raise URLError(err)
    urllib2.URLError: <urlopen error [Errno 185090050] _ssl.c:328: error:
    0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib>

    I see that i should create a certificate with server, client and ca
    autority, but i haven't clear the ca_certs option and which path i
    should use.
    Have you any suggestion?
    You need to have the CA certificate on any machine that is going to
    verify the certificate used on the SSL connection. The path just
    needs to be the path to that CA certificate on the client machine.

    Jean-Paul

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppython-list @
categoriespython
postedJul 5, '11 at 8:52a
activeJul 6, '11 at 1:53p
posts4
users2
websitepython.org

2 users in discussion

Jean-Paul Calderone: 2 posts AndDM: 2 posts

People

Translate

site design / logo © 2022 Grokbase