[issue2838] Verify callback for SSL
Bill Janssen [EMAIL PROTECTED] added the comment: On the client side, are you passing a ca_certs file with the self-signed certificate in it? If not, the library won't be able to validate the certificate enough to be able to see the data in it. But if you do that, you should be able to see the bits of the certificate. There's no point to seeing the bits of an unvalidated certificate, because they may be forged. So the library doesn't allow you to see the bits of an unvalidated certificate from the other side of the connection. -- assignee: - janssen nosy: +janssen __ Tracker [EMAIL PROTECTED] http://bugs.python.org/issue2838 __ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue2838] Verify callback for SSL
Ruben Kerkhof [EMAIL PROTECTED] added the comment: Hi Bill, When I include the server certificate in ca_certs, verification succeeds, and I can view the peer certificate dict with getpeercert(False) When I set ca_certs to none and ssl.CERT_NONE, I can still call getpeercert(True) and call DER_cert_to_PEM_cert to get the same PEM certificate. SSL is all new to me, so forgive me if I talk nonsense, but what I'm trying to do is the following: I receive a key from Bob which is a digest of his servers certificate. To make sure I'm really talking to Bob I need to decrypt his servers signature with his public key and check the resulting digest against my key. So I have to ignore failures like X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT and X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, but detect things like X509_V_ERR_CERT_SIGNATURE_FAILURE. The idea is based on what foolscap is doing with FURLS (http://foolscap.lothar.com/trac) Am I making sense? __ Tracker [EMAIL PROTECTED] http://bugs.python.org/issue2838 __ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue2838] Verify callback for SSL
Bill Janssen [EMAIL PROTECTED] added the comment: Yep, it looks like you're on the right track. I'll close this bug. Bill On Wed, May 14, 2008 at 12:51 PM, Ruben Kerkhof [EMAIL PROTECTED] wrote: Ruben Kerkhof [EMAIL PROTECTED] added the comment: Hi Bill, When I include the server certificate in ca_certs, verification succeeds, and I can view the peer certificate dict with getpeercert(False) When I set ca_certs to none and ssl.CERT_NONE, I can still call getpeercert(True) and call DER_cert_to_PEM_cert to get the same PEM certificate. SSL is all new to me, so forgive me if I talk nonsense, but what I'm trying to do is the following: I receive a key from Bob which is a digest of his servers certificate. To make sure I'm really talking to Bob I need to decrypt his servers signature with his public key and check the resulting digest against my key. So I have to ignore failures like X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT and X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, but detect things like X509_V_ERR_CERT_SIGNATURE_FAILURE. The idea is based on what foolscap is doing with FURLS (http://foolscap.lothar.com/trac) Am I making sense? __ Tracker [EMAIL PROTECTED] http://bugs.python.org/issue2838 __ Added file: http://bugs.python.org/file10323/unnamed __ Tracker [EMAIL PROTECTED] http://bugs.python.org/issue2838 __Yep, it looks like you#39;re on the right track.nbsp; I#39;ll close this bug.brbrBillbrbrdiv class=gmail_quoteOn Wed, May 14, 2008 at 12:51 PM, Ruben Kerkhof lt;a href=mailto:[EMAIL PROTECTED][EMAIL PROTECTED]/agt; wrote:br blockquote class=gmail_quote style=border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;br Ruben Kerkhof lt;a href=mailto:[EMAIL PROTECTED][EMAIL PROTECTED]/agt; added the comment:br br Hi Bill,br br When I include the server certificate in ca_certs, verificationbr succeeds, and I can view the peer certificate dict with getpeercert(False)br br When I set ca_certs to none and ssl.CERT_NONE, I can still callbr getpeercert(True) and call DER_cert_to_PEM_cert to get the same PEMbr certificate.br br SSL is all new to me, so forgive me if I talk nonsense, but what I#39;mbr trying to do is the following:br br I receive a key from Bob which is a digest of his servers certificate.br To make sure I#39;m really talking to Bob I need to decrypt his serversbr signature with his public key and check the resulting digest against mybr key. So I have to ignore failures likebr X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT andbr X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, but detect things likebr X509_V_ERR_CERT_SIGNATURE_FAILURE.br br The idea is based on what foolscap is doing with FURLSbr (a href=http://foolscap.lothar.com/trac; target=_blankhttp://foolscap.lothar.com/trac/a)br br Am I making sense?br divdiv/divdiv class=Wj3C7cbr __br Tracker lt;a href=mailto:[EMAIL PROTECTED][EMAIL PROTECTED]/agt;br lt;a href=http://bugs.python.org/issue2838; target=_blankhttp://bugs.python.org/issue2838/agt;br __br /div/div/blockquote/divbr ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue2838] Verify callback for SSL
Changes by Bill Janssen [EMAIL PROTECTED]: -- resolution: - works for me status: open - closed __ Tracker [EMAIL PROTECTED] http://bugs.python.org/issue2838 __ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue2838] Verify callback for SSL
New submission from Ruben Kerkhof [EMAIL PROTECTED]: I've been playing with the new SSL module, and so far it works great. However, when using it to connect to a host with a self signed certificate, verification fails when I specify ssl.CERT_REQUIRED (as expected). I know that I'm connecting to a host with a self signed certificate, so I want to be able to ignore that error. At the moment, the only option I see is to specify ssl.CERT_NONE and verify the DER certificate by hand. It would be great if I could specify a callback function that can ignore certain errors, and does additional checking. -- components: Library (Lib) messages: 66746 nosy: ruben severity: normal status: open title: Verify callback for SSL type: feature request versions: Python 2.6 __ Tracker [EMAIL PROTECTED] http://bugs.python.org/issue2838 __ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
