httplib and HTTPS Connections

runningwild wrote:

Helo,

This is the first time I have cared about httplib's HTTPSConnection.

In the docs I read "Note: HTTPS support is only available if the socket
module was compiled with SSL support."

Although my small test script "seems" to work when connecting to a
webserver via HTTPS I am really not sure.

In other words it worked the first time. I never trust anything that
seems to work right the first time. ;-)

My question is how can I tell if the criteria in the "NOTE:" is met?
How do I know that the socket module was indeed compled with SSL
support?

The reason this is important is that I am building a credit card
payment system.

Here is my little test script
========================
Python 2.4.3

import httplib
conn = httplib.HTTPSConnection('**********')
conn.request('GET' '/index.html')
resp = conn.getresponse()

page = resp.read()
print page

Quick followup:

I just got off the phone with my sys admin. Python was compiled with
the ssl flag turned on.
ssl does work other applications.

I am assuming we are covered. I just want to be sure.

runningwild wrote:

This is the first time I have cared about httplib's HTTPSConnection.

Please note that the Python builtin SSL support is not really secure. It
does not make sure that you connect to the site you think you are
connecting to, for example.

If you really need secure SSL (what is the point of SSL if not secure I
ask) you should look at other Python modules. There are several to
choose from, for example M2Crypto (I am the maintainer of that), TLS
Lite, PyOpenSSL, PyOpenSSL-extended, and possibly others that I am
forgetting right now.

--
Heikki Toivonen

runningwild wrote:

This is the first time I have cared about httplib's HTTPSConnection.

Please note that the Python builtin SSL support is not really secure. It
does not make sure that you connect to the site you think you are
connecting to, for example.

If you really need secure SSL (what is the point of SSL if not secure I
ask) you should look at other Python modules. There are several to
choose from, for example M2Crypto (I am the maintainer of that), TLS
Lite, PyOpenSSL, PyOpenSSL-extended, and possibly others that I am
forgetting right now.

--
Heikki Toivonen

Heikki Toivonen wrote:

runningwild wrote:

This is the first time I have cared about httplib's HTTPSConnection.

Please note that the Python builtin SSL support is not really secure. It
does not make sure that you connect to the site you think you are
connecting to, for example.

If you really need secure SSL (what is the point of SSL if not secure I
ask) you should look at other Python modules. There are several to
choose from, for example M2Crypto (I am the maintainer of that), TLS
Lite, PyOpenSSL, PyOpenSSL-extended, and possibly others that I am
forgetting right now.

--
Heikki Toivonen

Thanks Heikki,

I downloaded the varioius packages and read through the source code and
docs that came with them.

I am trying to get M2Crypto to work on my workstation. (WinXP/Cygwin,
Python 2.4.4 under cygwin)

Everything seemed to compile and install correctly.

When I try to run https_cli.py however I get the following exception:

LOOP: SSL connect: before/connect initialization
INFO: SSL connect: SSLv2 write client hello A
Traceback (most recent call last):
File "https_cli.py", line 41, in ?
test_httpslib()
File "https_cli.py", line 21, in test_httpslib
h.endheaders()
File "/usr/local/lib/python2.4/httplib.py", line 798, in endheaders
self._send_output()
File "/usr/local/lib/python2.4/httplib.py", line 679, in _send_output
self.send(msg)
File "/usr/local/lib/python2.4/httplib.py", line 646, in send
self.connect()
File "/usr/local/lib/python2.4/site-packages/M2Crypto/httpslib.py",
line 43, in connect
self.sock.connect((self.host, self.port))
File
"/usr/local/lib/python2.4/site-packages/M2Crypto/SSL/Connection.py",
line 154, in connect
ret = self.connect_ssl()
File
"/usr/local/lib/python2.4/site-packages/M2Crypto/SSL/Connection.py",
line 147, in connect_ssl
return m2.ssl_connect(self.ssl)
M2Crypto.SSL.SSLError: no ciphers available

The no ciphers available seems to be comming from the ssl installation
so I decided to test it with a different client.

%links https://localhost:9443/

This worked just fine showing me the directory listing and allowing me
to navigate.
This was also true for firefox when connecting to
https://localhost:9443/ from the server in
demos/httts.howto/orig_https_srv.py

Any idea what is going on here?

runningwild wrote:

When I try to run https_cli.py however I get the following exception:

This worked just fine showing me the directory listing and allowing me
to navigate.
This was also true for firefox when connecting to
https://localhost:9443/ from the server in
demos/httts.howto/orig_https_srv.py

Any idea what is going on here?

Sorry about that. I should put in prominent warnings that the demos
aren't actively maintained.

In this case the problem is that the old demo wants to use sslv2, but
the updated Context constructor explicitly disables that, so we don't
have any ssl versions available to do the connection.

The easiest way to fix this is to take out the argument to SSL.Context()
and let it use the defaults (defaults to all ssl versions).

I am fixing that demo as we speak, so it will be included in the next
M2Crypto release.

--
Heikki Toivonen