By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
457,985 Members | 986 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 457,985 IT Pros & Developers. It's quick & easy.

Using HTTPSConnection and verifying server's CRT

P: n/a
Hi,

I'm trying to build a system using HTTPS with python clients that have
to verify the server's identity. From the Python document, it seems that
the server's certificate is not veryfied, and authentication can only be
in the other way (client authentication).
I know usually users only click on 'yes I trust this certificate', but
what if you really care (this is my case)?

I tried to see if the M2Crypto has this possibility, but from my tests
and from what I can find on the website, it seems not :/

Can someone confirm me this is not possible or point me to something
that could help me?

Thanks,
Marc
Jul 18 '05 #1
Share this Question
Share on Google+
4 Replies


P: n/a
According to Marc Poulhičs <ma******************@epfl.ch>:
I tried to see if the M2Crypto has this possibility, but from my tests
and from what I can find on the website, it seems not :/
How did you test and where on the website does it say not?
Can someone confirm me this is not possible or point me to something
that could help me?


M2Crypto does server cert verification. With M2Crypto's httpslib, you pass
in an SSL.Context instance to the HTTPSConnection constructor to configure
the SSL; one of the config knobs is cert verification. So, redo your test,
satisfy yourself that this is doable, and send me your code to include as
an example in the distribution. ;-)

M2Crypto even does client certs. Since Apr 2000, according to the very last
blog entry on the ZServerSSL page.
--
Ng Pheng Siong <ng**@netmemetic.com>

http://sandbox.rulemaker.net/ngps -+- M2Crypto, ZServerSSL for Zope, Blog
http://www.sqlcrypt.com -+- Database Engine with Transparent AES Encryption
Jul 18 '05 #2

P: n/a
ng**@netmemetic.com (Ng Pheng Siong) writes:

Hi,
According to Marc Poulhičs <ma******************@epfl.ch>:
I tried to see if the M2Crypto has this possibility, but from my tests
and from what I can find on the website, it seems not :/
How did you test and where on the website does it say not?


I did things like this:
con = M2Crypto.httpslib.HTTPSConnection("some_secure_ser ver")
con.request("GET" , "/")

I tried to play with optional parameters (strict, debuglevel, etc) to
see if it was saying that it will not check server's CRT or some other
debug message dealing with server's certificate, but it is always
returning the webpage without saying anything :)

I did not say that M2C's doc stated clearly that this was not possible
(that's why I wrote "seems"), but I couldn't find something stating it
was possible (I tried google, API docs).
Can someone confirm me this is not possible or point me to something
that could help me?


M2Crypto does server cert verification. With M2Crypto's httpslib, you pass
in an SSL.Context instance to the HTTPSConnection constructor to configure
the SSL; one of the config knobs is cert verification. So, redo your test,
satisfy yourself that this is doable, and send me your code to include as
an example in the distribution. ;-)


Ok, sorry for that. Maybe that with more readings I could have spotted
this. I'll try that tomorrow and give my code if I have something
working!

M2Crypto even does client certs. Since Apr 2000, according to the very last
blog entry on the ZServerSSL page.


Yes, I did try this and have my client authenticated to the server.

Thanks for this quick and clear answer ;)

Marc
Jul 18 '05 #3

P: n/a
Marc Poulhičs <ma***********@NO-SP4Mepfl.ch> writes:
ng**@netmemetic.com (Ng Pheng Siong) writes:

M2Crypto does server cert verification. With M2Crypto's httpslib, you pass
in an SSL.Context instance to the HTTPSConnection constructor to configure
the SSL; one of the config knobs is cert verification. So, redo your test,
satisfy yourself that this is doable, and send me your code to include as
an example in the distribution. ;-)


Hi again!

So here are few lines that do server's CRT check. I still have one
question: see in the code. Both have the exact same description on
the documentation.

Btw, thanks for your answer (this will save me from using Perl!)
Marc

---8<-------8<-------8<-------8<----
#!/usr/bin/env python
import M2Crypto

ctx = M2Crypto.SSL.Context()

## what are the diff between these two??
#ctx.load_verify_info(cafile="/tmp/ca.crt")
ctx.load_verify_locations(cafile="/tmp/ca.crt")

# load client certificate (used to authenticate the client)
ctx.load_cert("/tmp/client.crt")

# stop if peer's certificate can't be verified
ctx.set_allow_unknown_ca(False)

# verify peer's certificate
ctx.set_verify(M2Crypto.SSL.verify_peer, 1)

con = M2Crypto.httpslib.HTTPSConnection("my.ssl.server.d omain",ssl_context=ctx)

con.request("GET" , "/")
print con.getresponse().read()
---8<-------8<-------8<-------8<-----

Result here:
$ ./ssl_peer_verif.py
Enter passphrase:
send: 'GET / HTTP/1.1\r\nHost: my.ssl.server.domain:443\r\nAccept-Encoding: identity\r\n\r\n'
reply: 'HTTP/1.1 200 OK\r\n'
header: Date: Tue, 01 Feb 2005 08:41:51 GMT
header: Server: Apache/2.0.46 (Red Hat)
header: Last-Modified: Mon, 31 Jan 2005 14:50:50 GMT
header: ETag: "4297-13-24658680"
header: Accept-Ranges: bytes
header: Content-Length: 19
header: Connection: close
header: Content-Type: text/html; charset=UTF-8
THIS IS WORKING =)
Jul 18 '05 #4

P: n/a
According to Marc Poulhičs <ma***********@NO-SP44Mepfl.ch>:
Btw, thanks for your answer (this will save me from using Perl!)
You're welcome.
## what are the diff between these two??
#ctx.load_verify_info(cafile="/tmp/ca.crt")
ctx.load_verify_locations(cafile="/tmp/ca.crt")
None. One is an alias for the other, to adhere to OpenSSL's naming
convention.
$ ./ssl_peer_verif.py
Enter passphrase:
send: 'GET / HTTP/1.1\r\nHost:
my.ssl.server.domain:443\r\nAccept-Encoding: identity\r\n\r\n'
reply: 'HTTP/1.1 200 OK\r\n'
header: Date: Tue, 01 Feb 2005 08:41:51 GMT
header: Server: Apache/2.0.46 (Red Hat)
header: Last-Modified: Mon, 31 Jan 2005 14:50:50 GMT
header: ETag: "4297-13-24658680"
header: Accept-Ranges: bytes
header: Content-Length: 19
header: Connection: close
header: Content-Type: text/html; charset=UTF-8
THIS IS WORKING =)


Excellent! ;-)
--
Ng Pheng Siong <ng**@netmemetic.com>

http://sandbox.rulemaker.net/ngps -+- M2Crypto, ZServerSSL for Zope, Blog
http://www.sqlcrypt.com -+- Database Engine with Transparent AES Encryption
Jul 18 '05 #5

This discussion thread is closed

Replies have been disabled for this discussion.