472,354 Members | 1,388 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

home > topics > python > questions > more m2crypto issues. not big ones, though.

Join Bytes to post your question to a community of 472,354 software developers and data experts.

More M2Crypto issues. Not big ones, though.

A list of small problems and bugs in the current M2Crypto:
I need to look at SSL certificates in some detail, so this
is all about the access functions for certificates.

Bugs:

1. Off by one error at "X509.get_ext_count()". Reports
eight extensions on a certificate that only has seven.
get_ext_at works for extensions 0..6, then returns
an undefined for the nonexistent #7.
Test against "https://www.verisign.com".
Entered into Bugzilla as #7717.

3. /M2Crypto/SSL/Connection.py:147:
DeprecationWarning: Old style callback, use cb_func(ok, store)
instead return m2.ssl_connect(self.ssl)
(Also reported, in Polish, here:
http://www.mail-archive.com/pl******.../msg12433.html)
Entered into Bugzilla as #7718.

4. "close()" on an SSL socket that's just finished certificate
negotiation hangs, at least on Windows. "del" does not hang,
but I don't know if there's a leak problem.
Not enough info yet to file a bug report. I might be doing
something wrong there. Any known "close" issues?

Other issues:

1. X509.X509_name.__getattr__:
Field retrieval from X.509 name items with x509_name_by_nid
retrieves only first instance of field, not all instances.
Really should return a list. The same key is used more
than once very frequently; these keys aren't unique.
It's tempting to treat these things like a hash, but they
don't really work that way. As for simply iterating through
the name elements, there's no direct way to just get the
elements one at a time. X509_Name has an "entry_count"
method, but no way to get the Nth entry.

As a workaround, I'm converting the X508_name to a string with
subjectstr = peer.get_subject().as_text(
flags=(m2.XN_FLAG_RFC2253 | m2.ASN1_STRFLGS_UTF8_CONVERT)
& ~m2.XN_FLAG_DUMP_UNKNOWN_FIELDS) # in RFC2253 format
This is safely parseable. While the default format doesn't have
escapes around the delimiter characters, with these flags,
entries are comma-separated with backslash escapes where
necessary. This works, unlike the "server()" function in
Python's built-in SSL, which returns a debug format that
has the same characters as delimiters and text.

2. Unclear if M2Crypto's X.509 interface is UTF-8 compatible.
OpenSSL will return info in UTF-8 if you use the
ASN1_STRFLGS_UTF8_CONVERT flag on as_text, but unclear if the
M2 glue code handles this correctly. Haven't found a UTF8 cert
to test it on yet.

Other than that, I'm having relatively good results with M2Crypto.

John Nagle
Jan 12 '07 #1
2 1849
John Nagle wrote:
A list of small problems and bugs in the current M2Crypto:
I need to look at SSL certificates in some detail, so this
is all about the access functions for certificates.
Thanks, got the reports, will check them out.
3. /M2Crypto/SSL/Connection.py:147:
DeprecationWarning: Old style callback, use cb_func(ok, store)
instead return m2.ssl_connect(self.ssl)
(Also reported, in Polish, here:
http://www.mail-archive.com/pl******.../msg12433.html)
Entered into Bugzilla as #7718.
This is actually intended. Once I figure out how to implement all the
functionality in the new way I'd like to remove the old way.
>
4. "close()" on an SSL socket that's just finished certificate
negotiation hangs, at least on Windows. "del" does not hang,
but I don't know if there's a leak problem.
Not enough info yet to file a bug report. I might be doing
something wrong there. Any known "close" issues?
No known issues, but the ending of an SSL connection is a little grey
area to me so I wouldn't be surprised if there are some cases where we
shut down prematurely or too late. But I don't know why we'd hang.
1. X509.X509_name.__getattr__:
Field retrieval from X.509 name items with x509_name_by_nid
retrieves only first instance of field, not all instances.
Yes, I've been battling with this myself as well. OpenSSL provides
objects to get things as a list, but they are so weird I haven't yet
figured out a way to wrap them in Python so that you would actually be
able to get some values out.
2. Unclear if M2Crypto's X.509 interface is UTF-8 compatible.
OpenSSL will return info in UTF-8 if you use the
ASN1_STRFLGS_UTF8_CONVERT flag on as_text, but unclear if the
M2 glue code handles this correctly. Haven't found a UTF8 cert
to test it on yet.
Yeah, I am not convinced everything works as it should. Any UTF8 (and
other encoding) samples would be welcome.
Other than that, I'm having relatively good results with M2Crypto.
Glad to hear.

--
Heikki Toivonen
Jan 13 '07 #2
Heikki Toivonen wrote:
John Nagle wrote:
> A list of small problems and bugs in the current M2Crypto:
I need to look at SSL certificates in some detail, so this
is all about the access functions for certificates.


Thanks, got the reports, will check them out.

> 3. /M2Crypto/SSL/Connection.py:147:
DeprecationWarning: Old style callback, use cb_func(ok, store)
instead return m2.ssl_connect(self.ssl)
(Also reported, in Polish, here:
http://www.mail-archive.com/pl******.../msg12433.html)
Entered into Bugzilla as #7718.


This is actually intended. Once I figure out how to implement all the
functionality in the new way I'd like to remove the old way.
OK.
> 4. "close()" on an SSL socket that's just finished certificate
negotiation hangs, at least on Windows.

No known issues, but the ending of an SSL connection is a little grey
area to me so I wouldn't be surprised if there are some cases where we
shut down prematurely or too late. But I don't know why we'd hang.
I'll check that again.
>
> 1. X509.X509_name.__getattr__:
Field retrieval from X.509 name items with x509_name_by_nid
retrieves only first instance of field, not all instances.

Yes, I've been battling with this myself as well. OpenSSL provides
objects to get things as a list, but they are so weird I haven't yet
figured out a way to wrap them in Python so that you would actually be
able to get some values out.
I convert X509_name items to a list of tuples. Here's an example:

Server: [
('CN', 'www.apartmentsapart.com'),
('OU', 'Travel Services'),
('O', 'Niche Travel Ltd.'),
('L', 'Nicosia'),
('ST', 'Nicosia'),
('C', 'CY')]

That's straightforward.

But to do this I have to convert the X509_name item to a string, like this:

subjectstr = subject.as_text(flags=(m2.XN_FLAG_RFC2253 |
m2.ASN1_STRFLGS_UTF8_CONVERT) & ~m2.XN_FLAG_DUMP_UNKNOWN_FIELDS)

which yields a string of items like "L=Nicosia, OU=Travel Services", with
backslash escapes where necessary. (The default formatting does not
have proper escaping; it's just for debug use.) So I parse that,
obeying the escapes, and get out the tuples. This works OK, but
shouldn't be necessary. It's not something I need now, though.

Most things in X509 certificates map well to lists of tuples.
> 2. Unclear if M2Crypto's X.509 interface is UTF-8 compatible.
OpenSSL will return info in UTF-8 if you use the
ASN1_STRFLGS_UTF8_CONVERT flag on as_text, but unclear if the
M2 glue code handles this correctly. Haven't found a UTF8 cert
to test it on yet.


Yeah, I am not convinced everything works as it should. Any UTF8 (and
other encoding) samples would be welcome.
Looking for one. I think all that's needed is to recognize when
ASN1_STRFLGS_UTF8_CONVERT is set when converting to a Python string,
and convert to the appropriate form of Python string.

Just rediscovered bug #5277, "Support certificates with multiple DNS
names", which is fixed in 0.18. Looking forward to version 0.18.
If you want to test that, try to open "https://www.autumngalleryforthehome.com".

John Nagle

Jan 13 '07 #3
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

303
BIG successes of Lisp (was ...)
by: mike420 | last post by:
In the context of LATEX, some Pythonista asked what the big successes of Lisp were. I think there were at least three *big* successes. a. orbitz.com web site uses Lisp for algorithms, etc. b....
Python
5
Zope, M2Crypto, and Gentoo
by: jsmilan | last post by:
Hi, all; I'm strictly an amateur developer who has dabbled in a half dozen languages on eight or nine systems over 20 years or so. I have never devoted the time or energy to thoroughly learn...
Python
1
Errors testing m2crypto
by: morphex | last post by:
Hi, I get the following messages running the testall.py script with m2crypto 0.13, can anyone tell me what's wrong? .................................................................EEEEEE...
Python
8
Wierd M2Crypto bug - phony "peer did not return certificate" error
by: John Nagle | last post by:
Here's a wierd problem: I have a little test case for M2Crypto, which just opens up SSL connections to web servers and reads their certificates. This works fine. But if I execute ...
Python
8
More M2Crypto issues
by: John Nagle | last post by:
I've been running M2Crypto successfully using Python 2.4 on Windows 2000, and now I'm trying to get it to work on Python 2.3.4 on Linux. Attempting to initialize a context results in Traceback...
Python
2
More M2Crypto build problems
by: John Nagle | last post by:
Trying to build M2Crypto on a dedicated server running Red Hat Fedora Core 6. I'm trying to do this right, without manual patching. The error message I'm getting during build is: python...
Python
10
Socket exceptions aren't in the standard exception hierarchy
by: John Nagle | last post by:
Here are three network-related exceptions. These were caught by "except" with no exception type, because none of the more specific exceptions matched. This is what a traceback produced: 1....
Python
5
More urllib timeout issues.
by: John Nagle | last post by:
I thought I had all the timeout problems with urllib worked around, but no. socket.setdefaulttimeout is useful, but not always effective. I'm setting that to 15 seconds. If the host end won't...
Python
7
M2Crypto 0.18 - new version, same old build bugs.
by: John Nagle | last post by:
Back in March, I posted this: That was for M2Crypto 0.17. It's still broken in M2Crypto 0.18. And there's no RPM or Windows binary. Nobody actually uses this stuff, do they?
Python
2
Benefits of Blockchain App Development for Enterprise Businesses
by: Kemmylinns12 | last post by:
Blockchain technology has emerged as a transformative force in the business world, offering unprecedented opportunities for innovation and efficiency. While initially associated with cryptocurrencies...
General
0
Basic concepts of WebLogic Admin training?
by: Naresh1 | last post by:
What is WebLogic Admin Training? WebLogic Admin Training is a specialized program designed to equip individuals with the skills and knowledge required to effectively administer and manage Oracle...
Oracle Database
0
Hyperconverged All-in-One Streaming Engine, ushering in new age for distributed database
by: antdb | last post by:
Ⅰ. Advantage of AntDB: hyper-convergence + streaming processing engine In the overall architecture, a new "hyper-convergence" concept was proposed, which integrated multiple engines and...
General
1
How to layout php header location with a variable as the location?
by: Matthew3360 | last post by:
Hi there. I have been struggling to find out how to use a variable as my location in my header redirect function. Here is my code. header("Location:".$urlback); Is this the right layout the...
PHP
0
HOW CAN I CREATE AN AI with an .executable file that would suck all files in the folder and on my computer
by: AndyPSV | last post by:
HOW CAN I CREATE AN AI with an .executable file that would suck all files in the folder and on my computerHOW CAN I CREATE AN AI with an .executable file that would suck all files in the folder and...
General
0
How do I view Redshift db tables in Alteryx
by: Arjunsri | last post by:
I have a Redshift database that I need to use as an import data source. I have configured the DSN connection using the server, port, database, and credentials and received a successful connection...
General
0
hi
by: WisdomUfot | last post by:
It's an interesting question you've got about how Gmail hides the HTTP referrer when a link in an email is clicked. While I don't have the specific technical details, Gmail likely implements measures...
General
0
Oralloy
FPGA Question
by: Oralloy | last post by:
Hello Folks, I am trying to hook up a CPU which I designed using SystemC to I/O pins on an FPGA. My problem (spelled failure) is with the synthesis of my design into a bitstream, not the C++...
General
0
BLUEPANDA
Join our open community on Discord to learn programming, SEO, and marketing
by: BLUEPANDA | last post by:
At BluePanda Dev, we're passionate about building high-quality software and sharing our knowledge with the community. That's why we've created a SaaS starter kit that's not only easy to use but also...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2023
About Bytes
Advertise
Terms Of Use
Privacy Policy

Sitemap

Follow us! Get the Latest Bytes Updates