Using HTTPSConnection and verifying server's CRT

According to Marc Poulhiès <ma******************@epfl.ch>:

I tried to see if the M2Crypto has this possibility, but from my tests
and from what I can find on the website, it seems not :/
How did you test and where on the website does it say not?
Can someone confirm me this is not possible or point me to something
that could help me?

M2Crypto does server cert verification. With M2Crypto's httpslib, you pass
in an SSL.Context instance to the HTTPSConnection constructor to configure
the SSL; one of the config knobs is cert verification. So, redo your test,
satisfy yourself that this is doable, and send me your code to include as
an example in the distribution. ;-)

M2Crypto even does client certs. Since Apr 2000, according to the very last
blog entry on the ZServerSSL page.
--
Ng Pheng Siong <ng**@netmemetic.com>

http://sandbox.rulemaker.net/ngps -+- M2Crypto, ZServerSSL for Zope, Blog
http://www.sqlcrypt.com -+- Database Engine with Transparent AES Encryption

ng**@netmemetic.com (Ng Pheng Siong) writes:

Hi,

According to Marc Poulhiès <ma******************@epfl.ch>:

I tried to see if the M2Crypto has this possibility, but from my tests
and from what I can find on the website, it seems not :/
How did you test and where on the website does it say not?

I did things like this:
con = M2Crypto.httpslib.HTTPSConnection("some_secure_ser ver")
con.request("GET" , "/")

I tried to play with optional parameters (strict, debuglevel, etc) to
see if it was saying that it will not check server's CRT or some other
debug message dealing with server's certificate, but it is always
returning the webpage without saying anything :)

I did not say that M2C's doc stated clearly that this was not possible
(that's why I wrote "seems"), but I couldn't find something stating it
was possible (I tried google, API docs).

Can someone confirm me this is not possible or point me to something
that could help me?

M2Crypto does server cert verification. With M2Crypto's httpslib, you pass
in an SSL.Context instance to the HTTPSConnection constructor to configure
the SSL; one of the config knobs is cert verification. So, redo your test,
satisfy yourself that this is doable, and send me your code to include as
an example in the distribution. ;-)

Ok, sorry for that. Maybe that with more readings I could have spotted
this. I'll try that tomorrow and give my code if I have something
working!

M2Crypto even does client certs. Since Apr 2000, according to the very last
blog entry on the ZServerSSL page.

Yes, I did try this and have my client authenticated to the server.

Thanks for this quick and clear answer ;)

Marc

Marc Poulhiès <ma***********@NO-SP4Mepfl.ch> writes:

ng**@netmemetic.com (Ng Pheng Siong) writes:

M2Crypto does server cert verification. With M2Crypto's httpslib, you pass
in an SSL.Context instance to the HTTPSConnection constructor to configure
the SSL; one of the config knobs is cert verification. So, redo your test,
satisfy yourself that this is doable, and send me your code to include as
an example in the distribution. ;-)

Hi again!

So here are few lines that do server's CRT check. I still have one
question: see in the code. Both have the exact same description on
the documentation.

Btw, thanks for your answer (this will save me from using Perl!)
Marc

---8<-------8<-------8<-------8<----
#!/usr/bin/env python
import M2Crypto

ctx = M2Crypto.SSL.Context()

## what are the diff between these two??
#ctx.load_verify_info(cafile="/tmp/ca.crt")
ctx.load_verify_locations(cafile="/tmp/ca.crt")

# load client certificate (used to authenticate the client)
ctx.load_cert("/tmp/client.crt")

# stop if peer's certificate can't be verified
ctx.set_allow_unknown_ca(False)

# verify peer's certificate
ctx.set_verify(M2Crypto.SSL.verify_peer, 1)

con = M2Crypto.httpslib.HTTPSConnection("my.ssl.server.d omain",ssl_context=ctx)

con.request("GET" , "/")
print con.getresponse().read()
---8<-------8<-------8<-------8<-----

Result here:
$ ./ssl_peer_verif.py
Enter passphrase:
send: 'GET / HTTP/1.1\r\nHost: my.ssl.server.domain:443\r\nAccept-Encoding: identity\r\n\r\n'
reply: 'HTTP/1.1 200 OK\r\n'
header: Date: Tue, 01 Feb 2005 08:41:51 GMT
header: Server: Apache/2.0.46 (Red Hat)
header: Last-Modified: Mon, 31 Jan 2005 14:50:50 GMT
header: ETag: "4297-13-24658680"
header: Accept-Ranges: bytes
header: Content-Length: 19
header: Connection: close
header: Content-Type: text/html; charset=UTF-8
THIS IS WORKING =)

According to Marc Poulhiès <ma***********@NO-SP44Mepfl.ch>:

Btw, thanks for your answer (this will save me from using Perl!)
You're welcome.
## what are the diff between these two??
#ctx.load_verify_info(cafile="/tmp/ca.crt")
ctx.load_verify_locations(cafile="/tmp/ca.crt")
None. One is an alias for the other, to adhere to OpenSSL's naming
convention.
$ ./ssl_peer_verif.py
Enter passphrase:
send: 'GET / HTTP/1.1\r\nHost:
my.ssl.server.domain:443\r\nAccept-Encoding: identity\r\n\r\n'
reply: 'HTTP/1.1 200 OK\r\n'
header: Date: Tue, 01 Feb 2005 08:41:51 GMT
header: Server: Apache/2.0.46 (Red Hat)
header: Last-Modified: Mon, 31 Jan 2005 14:50:50 GMT
header: ETag: "4297-13-24658680"
header: Accept-Ranges: bytes
header: Content-Length: 19
header: Connection: close
header: Content-Type: text/html; charset=UTF-8
THIS IS WORKING =)

Excellent! ;-)
--
Ng Pheng Siong <ng**@netmemetic.com>

http://sandbox.rulemaker.net/ngps -+- M2Crypto, ZServerSSL for Zope, Blog
http://www.sqlcrypt.com -+- Database Engine with Transparent AES Encryption