On Wed, Jul 28, 2010 at 10:08 PM, John Nagle <na...@animats.com> wrote: > On 7/28/2010 6:26 PM, geremy condra wrote: >> >> On Wed, Jul 28, 2010 at 4:41 PM, Jeffrey >> Gaynor<jgay...@ncsa.uiuc.edu> wrote: >>> >>> Hi, >>> >>> I am making a first large project in python and am having quite a >>> bit of difficulty unscrambling various python versions and what >>> they can/cannot do. To wit, I must communicate with certain >>> services via https and am required to perform certificate >>> verification on them. >>> >>> The problem is that I also have to do this under CentOS 5.5 which >>> only uses python 2.4 as its default -- this is not negotiable. As >>> near as I can tell from reading various posts, the https client >>> does not do verification and there is no low-level SSL support to >>> provide a workaround. Near as I can tell from reading, 2.6 does >>> include this. Am I getting this right? Is there a simple way to do >>> this? More to the point, I need to know pretty darn quick if this >>> is impossible so we can try and plan for it. >>> >>> So the quick question: Has anyone done certificate verification >>> using 2.4 and if so, how? >>> >>> Thanks! >> >> M2Crypto is the way to go here. I think there's an example on their >> site. > > M2Crypto does that job quite well. Installing M2Crypto tends to be > painful if you have to build it, though. See if you can find a pre- > built version. > > You then need a "cacert.pem" file, with the root certificates you're > going to trust. You can get one from > > http://curl.haxx.se/docs/caextract.html > > which converts Mozilla's format to a .pem file once a week. > The actual Mozilla source file is at > > http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt > > but M2Crypto needs it in .pem format. > > The new Python SSL module in 2.6 and later has a huge built-in > security hole - it doesn't verify the domain against the > certificate. As someone else put it, this means "you get to > talk securely with your attacker." As long as the site or proxy > has some valid SSL cert, any valid SSL cert copied from anywhere, > the new Python SSL module will tell you everything is just fine. > > John Nagle
Did anything ever come of the discussion that you and Antoine had? Geremy Condra PS- the quote is due to Justin Samuel -- http://mail.python.org/mailman/listinfo/python-list