472,805 Members | 942 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 472,805 software developers and data experts.

Using HTTPSConnection and verifying server's CRT

Hi,

I'm trying to build a system using HTTPS with python clients that have
to verify the server's identity. From the Python document, it seems that
the server's certificate is not veryfied, and authentication can only be
in the other way (client authentication).
I know usually users only click on 'yes I trust this certificate', but
what if you really care (this is my case)?

I tried to see if the M2Crypto has this possibility, but from my tests
and from what I can find on the website, it seems not :/

Can someone confirm me this is not possible or point me to something
that could help me?

Thanks,
Marc
Jul 18 '05 #1
4 2850
According to Marc Poulhičs <ma******************@epfl.ch>:
I tried to see if the M2Crypto has this possibility, but from my tests
and from what I can find on the website, it seems not :/
How did you test and where on the website does it say not?
Can someone confirm me this is not possible or point me to something
that could help me?


M2Crypto does server cert verification. With M2Crypto's httpslib, you pass
in an SSL.Context instance to the HTTPSConnection constructor to configure
the SSL; one of the config knobs is cert verification. So, redo your test,
satisfy yourself that this is doable, and send me your code to include as
an example in the distribution. ;-)

M2Crypto even does client certs. Since Apr 2000, according to the very last
blog entry on the ZServerSSL page.
--
Ng Pheng Siong <ng**@netmemetic.com>

http://sandbox.rulemaker.net/ngps -+- M2Crypto, ZServerSSL for Zope, Blog
http://www.sqlcrypt.com -+- Database Engine with Transparent AES Encryption
Jul 18 '05 #2
ng**@netmemetic.com (Ng Pheng Siong) writes:

Hi,
According to Marc Poulhičs <ma******************@epfl.ch>:
I tried to see if the M2Crypto has this possibility, but from my tests
and from what I can find on the website, it seems not :/
How did you test and where on the website does it say not?


I did things like this:
con = M2Crypto.httpslib.HTTPSConnection("some_secure_ser ver")
con.request("GET" , "/")

I tried to play with optional parameters (strict, debuglevel, etc) to
see if it was saying that it will not check server's CRT or some other
debug message dealing with server's certificate, but it is always
returning the webpage without saying anything :)

I did not say that M2C's doc stated clearly that this was not possible
(that's why I wrote "seems"), but I couldn't find something stating it
was possible (I tried google, API docs).
Can someone confirm me this is not possible or point me to something
that could help me?


M2Crypto does server cert verification. With M2Crypto's httpslib, you pass
in an SSL.Context instance to the HTTPSConnection constructor to configure
the SSL; one of the config knobs is cert verification. So, redo your test,
satisfy yourself that this is doable, and send me your code to include as
an example in the distribution. ;-)


Ok, sorry for that. Maybe that with more readings I could have spotted
this. I'll try that tomorrow and give my code if I have something
working!

M2Crypto even does client certs. Since Apr 2000, according to the very last
blog entry on the ZServerSSL page.


Yes, I did try this and have my client authenticated to the server.

Thanks for this quick and clear answer ;)

Marc
Jul 18 '05 #3
Marc Poulhičs <ma***********@NO-SP4Mepfl.ch> writes:
ng**@netmemetic.com (Ng Pheng Siong) writes:

M2Crypto does server cert verification. With M2Crypto's httpslib, you pass
in an SSL.Context instance to the HTTPSConnection constructor to configure
the SSL; one of the config knobs is cert verification. So, redo your test,
satisfy yourself that this is doable, and send me your code to include as
an example in the distribution. ;-)


Hi again!

So here are few lines that do server's CRT check. I still have one
question: see in the code. Both have the exact same description on
the documentation.

Btw, thanks for your answer (this will save me from using Perl!)
Marc

---8<-------8<-------8<-------8<----
#!/usr/bin/env python
import M2Crypto

ctx = M2Crypto.SSL.Context()

## what are the diff between these two??
#ctx.load_verify_info(cafile="/tmp/ca.crt")
ctx.load_verify_locations(cafile="/tmp/ca.crt")

# load client certificate (used to authenticate the client)
ctx.load_cert("/tmp/client.crt")

# stop if peer's certificate can't be verified
ctx.set_allow_unknown_ca(False)

# verify peer's certificate
ctx.set_verify(M2Crypto.SSL.verify_peer, 1)

con = M2Crypto.httpslib.HTTPSConnection("my.ssl.server.d omain",ssl_context=ctx)

con.request("GET" , "/")
print con.getresponse().read()
---8<-------8<-------8<-------8<-----

Result here:
$ ./ssl_peer_verif.py
Enter passphrase:
send: 'GET / HTTP/1.1\r\nHost: my.ssl.server.domain:443\r\nAccept-Encoding: identity\r\n\r\n'
reply: 'HTTP/1.1 200 OK\r\n'
header: Date: Tue, 01 Feb 2005 08:41:51 GMT
header: Server: Apache/2.0.46 (Red Hat)
header: Last-Modified: Mon, 31 Jan 2005 14:50:50 GMT
header: ETag: "4297-13-24658680"
header: Accept-Ranges: bytes
header: Content-Length: 19
header: Connection: close
header: Content-Type: text/html; charset=UTF-8
THIS IS WORKING =)
Jul 18 '05 #4
According to Marc Poulhičs <ma***********@NO-SP44Mepfl.ch>:
Btw, thanks for your answer (this will save me from using Perl!)
You're welcome.
## what are the diff between these two??
#ctx.load_verify_info(cafile="/tmp/ca.crt")
ctx.load_verify_locations(cafile="/tmp/ca.crt")
None. One is an alias for the other, to adhere to OpenSSL's naming
convention.
$ ./ssl_peer_verif.py
Enter passphrase:
send: 'GET / HTTP/1.1\r\nHost:
my.ssl.server.domain:443\r\nAccept-Encoding: identity\r\n\r\n'
reply: 'HTTP/1.1 200 OK\r\n'
header: Date: Tue, 01 Feb 2005 08:41:51 GMT
header: Server: Apache/2.0.46 (Red Hat)
header: Last-Modified: Mon, 31 Jan 2005 14:50:50 GMT
header: ETag: "4297-13-24658680"
header: Accept-Ranges: bytes
header: Content-Length: 19
header: Connection: close
header: Content-Type: text/html; charset=UTF-8
THIS IS WORKING =)


Excellent! ;-)
--
Ng Pheng Siong <ng**@netmemetic.com>

http://sandbox.rulemaker.net/ngps -+- M2Crypto, ZServerSSL for Zope, Blog
http://www.sqlcrypt.com -+- Database Engine with Transparent AES Encryption
Jul 18 '05 #5

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
by: John Glista | last post by:
Hello. I'm having a bit of a problem with the HTTPSConnection class. It is part of the httplib module. I discovered that it is not neccessary to specifiy a key and a certificate when opening an...
0
by: Terry Kerr | last post by:
Hi, I have an app that makes a https POST to a remote server that I have no control over. The app runs fine in python 2.1.3 with socket.ssl compiled with openssl-0.9.6, however it will not run...
0
by: Robert | last post by:
did you solve this problem? It seems to be still present here with py2.3.5. Robert -- From: Manish Jethani <manish.j@gmx.net> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US;...
6
by: Paul Winkler | last post by:
This is driving me up the wall... any help would be MUCH appreciated. I have a module that I've whittled down into a 65-line script in an attempt to isolate the cause of the problem. (Real...
0
by: Huzaifa Tapal | last post by:
is it reccommended to us the HTTPSConnection object to make socket connections in a multithreaded persistent environment? The reason I ask is that I am having intermittent problems with possibly...
9
by: Carter Smith | last post by:
http://www.icarusindie.com/wiki/index.php/Server-Side_Javascript_Check Sample source included This method requires that your pages are PHP enabled and you have mySQL. Although I suppose you...
5
by: Geisler, Jim | last post by:
So, as far as I know, PostgreSQL does not have any way of verifying the loss of referential integrity. Are there any recommended methods or utilities for checking referential integrity in a...
0
by: xievvv | last post by:
I am trying to have a SslStream client and an SslStream server mutually authenticate and communicate with each other, over TCP. So when I call the methods AuthenticateAsClient() and...
7
seligerasmus
by: seligerasmus | last post by:
Greetings! My scenario is such - I'm wrapping a Java web service around a set of RPG programs that live on one of my company's i-Series (AS/400) midrange computers. To faciltate the connectivity...
2
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 2 August 2023 starting at 18:00 UK time (6PM UTC+1) and finishing at about 19:15 (7.15PM) The start time is equivalent to 19:00 (7PM) in Central...
0
by: erikbower65 | last post by:
Using CodiumAI's pr-agent is simple and powerful. Follow these steps: 1. Install CodiumAI CLI: Ensure Node.js is installed, then run 'npm install -g codiumai' in the terminal. 2. Connect to...
0
linyimin
by: linyimin | last post by:
Spring Startup Analyzer generates an interactive Spring application startup report that lets you understand what contributes to the application startup time and helps to optimize it. Support for...
2
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Sept 2023 starting at 18:00 UK time (6PM UTC+1) and finishing at about 19:15 (7.15PM) The start time is equivalent to 19:00 (7PM) in Central...
0
by: Taofi | last post by:
I try to insert a new record but the error message says the number of query names and destination fields are not the same This are my field names ID, Budgeted, Actual, Status and Differences ...
0
by: Rina0 | last post by:
I am looking for a Python code to find the longest common subsequence of two strings. I found this blog post that describes the length of longest common subsequence problem and provides a solution in...
0
by: lllomh | last post by:
Define the method first this.state = { buttonBackgroundColor: 'green', isBlinking: false, // A new status is added to identify whether the button is blinking or not } autoStart=()=>{
0
by: lllomh | last post by:
How does React native implement an English player?
0
by: Mushico | last post by:
How to calculate date of retirement from date of birth

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.