Bill Janssen <[EMAIL PROTECTED]> added the comment:
Yep, it looks like you're on the right track. I'll close this bug.
Bill
On Wed, May 14, 2008 at 12:51 PM, Ruben Kerkhof <[EMAIL PROTECTED]>
wrote:
>
> Ruben Kerkhof <[EMAIL PROTECTED]> added the comment:
>
> Hi Bill,
>
> When I include the server certificate in ca_certs, verification
> succeeds, and I can view the peer certificate dict with getpeercert(False)
>
> When I set ca_certs to none and ssl.CERT_NONE, I can still call
> getpeercert(True) and call DER_cert_to_PEM_cert to get the same PEM
> certificate.
>
> SSL is all new to me, so forgive me if I talk nonsense, but what I'm
> trying to do is the following:
>
> I receive a key from Bob which is a digest of his servers certificate.
> To make sure I'm really talking to Bob I need to decrypt his servers
> signature with his public key and check the resulting digest against my
> key. So I have to ignore failures like
> X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT and
> X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, but detect things like
> X509_V_ERR_CERT_SIGNATURE_FAILURE.
>
> The idea is based on what foolscap is doing with FURLS
> (http://foolscap.lothar.com/trac)
>
> Am I making sense?
>
> __________________________________
> Tracker <[EMAIL PROTECTED]>
> <http://bugs.python.org/issue2838>
> __________________________________
>
Added file: http://bugs.python.org/file10323/unnamed
__________________________________
Tracker <[EMAIL PROTECTED]>
<http://bugs.python.org/issue2838>
__________________________________
Yep, it looks like you're on the right track. I'll close this
bug.<br><br>Bill<br><br><div class="gmail_quote">On Wed, May 14, 2008 at 12:51
PM, Ruben Kerkhof <<a href="mailto:[EMAIL PROTECTED]">[EMAIL
PROTECTED]</a>> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204,
204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>
Ruben Kerkhof <<a href="mailto:[EMAIL PROTECTED]">[EMAIL PROTECTED]</a>>
added the comment:<br>
<br>
Hi Bill,<br>
<br>
When I include the server certificate in ca_certs, verification<br>
succeeds, and I can view the peer certificate dict with getpeercert(False)<br>
<br>
When I set ca_certs to none and ssl.CERT_NONE, I can still call<br>
getpeercert(True) and call DER_cert_to_PEM_cert to get the same PEM<br>
certificate.<br>
<br>
SSL is all new to me, so forgive me if I talk nonsense, but what I'm<br>
trying to do is the following:<br>
<br>
I receive a key from Bob which is a digest of his servers certificate.<br>
To make sure I'm really talking to Bob I need to decrypt his servers<br>
signature with his public key and check the resulting digest against my<br>
key. So I have to ignore failures like<br>
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT and<br>
X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, but detect things like<br>
X509_V_ERR_CERT_SIGNATURE_FAILURE.<br>
<br>
The idea is based on what foolscap is doing with FURLS<br>
(<a href="http://foolscap.lothar.com/trac";
target="_blank">http://foolscap.lothar.com/trac</a>)<br>
<br>
Am I making sense?<br>
<div><div></div><div class="Wj3C7c"><br>
__________________________________<br>
Tracker <<a href="mailto:[EMAIL PROTECTED]">[EMAIL PROTECTED]</a>><br>
<<a href="http://bugs.python.org/issue2838";
target="_blank">http://bugs.python.org/issue2838</a>><br>
__________________________________<br>
</div></div></blockquote></div><br>
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
