By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
444,089 Members | 2,260 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 444,089 IT Pros & Developers. It's quick & easy.

More M2Crypto issues. Not big ones, though.

P: n/a
A list of small problems and bugs in the current M2Crypto:
I need to look at SSL certificates in some detail, so this
is all about the access functions for certificates.

Bugs:

1. Off by one error at "X509.get_ext_count()". Reports
eight extensions on a certificate that only has seven.
get_ext_at works for extensions 0..6, then returns
an undefined for the nonexistent #7.
Test against "https://www.verisign.com".
Entered into Bugzilla as #7717.

3. /M2Crypto/SSL/Connection.py:147:
DeprecationWarning: Old style callback, use cb_func(ok, store)
instead return m2.ssl_connect(self.ssl)
(Also reported, in Polish, here:
http://www.mail-archive.com/pl******.../msg12433.html)
Entered into Bugzilla as #7718.

4. "close()" on an SSL socket that's just finished certificate
negotiation hangs, at least on Windows. "del" does not hang,
but I don't know if there's a leak problem.
Not enough info yet to file a bug report. I might be doing
something wrong there. Any known "close" issues?

Other issues:

1. X509.X509_name.__getattr__:
Field retrieval from X.509 name items with x509_name_by_nid
retrieves only first instance of field, not all instances.
Really should return a list. The same key is used more
than once very frequently; these keys aren't unique.
It's tempting to treat these things like a hash, but they
don't really work that way. As for simply iterating through
the name elements, there's no direct way to just get the
elements one at a time. X509_Name has an "entry_count"
method, but no way to get the Nth entry.

As a workaround, I'm converting the X508_name to a string with
subjectstr = peer.get_subject().as_text(
flags=(m2.XN_FLAG_RFC2253 | m2.ASN1_STRFLGS_UTF8_CONVERT)
& ~m2.XN_FLAG_DUMP_UNKNOWN_FIELDS) # in RFC2253 format
This is safely parseable. While the default format doesn't have
escapes around the delimiter characters, with these flags,
entries are comma-separated with backslash escapes where
necessary. This works, unlike the "server()" function in
Python's built-in SSL, which returns a debug format that
has the same characters as delimiters and text.

2. Unclear if M2Crypto's X.509 interface is UTF-8 compatible.
OpenSSL will return info in UTF-8 if you use the
ASN1_STRFLGS_UTF8_CONVERT flag on as_text, but unclear if the
M2 glue code handles this correctly. Haven't found a UTF8 cert
to test it on yet.

Other than that, I'm having relatively good results with M2Crypto.

John Nagle
Jan 12 '07 #1
Share this Question
Share on Google+
2 Replies


P: n/a
John Nagle wrote:
A list of small problems and bugs in the current M2Crypto:
I need to look at SSL certificates in some detail, so this
is all about the access functions for certificates.
Thanks, got the reports, will check them out.
3. /M2Crypto/SSL/Connection.py:147:
DeprecationWarning: Old style callback, use cb_func(ok, store)
instead return m2.ssl_connect(self.ssl)
(Also reported, in Polish, here:
http://www.mail-archive.com/pl******.../msg12433.html)
Entered into Bugzilla as #7718.
This is actually intended. Once I figure out how to implement all the
functionality in the new way I'd like to remove the old way.
>
4. "close()" on an SSL socket that's just finished certificate
negotiation hangs, at least on Windows. "del" does not hang,
but I don't know if there's a leak problem.
Not enough info yet to file a bug report. I might be doing
something wrong there. Any known "close" issues?
No known issues, but the ending of an SSL connection is a little grey
area to me so I wouldn't be surprised if there are some cases where we
shut down prematurely or too late. But I don't know why we'd hang.
1. X509.X509_name.__getattr__:
Field retrieval from X.509 name items with x509_name_by_nid
retrieves only first instance of field, not all instances.
Yes, I've been battling with this myself as well. OpenSSL provides
objects to get things as a list, but they are so weird I haven't yet
figured out a way to wrap them in Python so that you would actually be
able to get some values out.
2. Unclear if M2Crypto's X.509 interface is UTF-8 compatible.
OpenSSL will return info in UTF-8 if you use the
ASN1_STRFLGS_UTF8_CONVERT flag on as_text, but unclear if the
M2 glue code handles this correctly. Haven't found a UTF8 cert
to test it on yet.
Yeah, I am not convinced everything works as it should. Any UTF8 (and
other encoding) samples would be welcome.
Other than that, I'm having relatively good results with M2Crypto.
Glad to hear.

--
Heikki Toivonen
Jan 13 '07 #2

P: n/a
Heikki Toivonen wrote:
John Nagle wrote:
> A list of small problems and bugs in the current M2Crypto:
I need to look at SSL certificates in some detail, so this
is all about the access functions for certificates.


Thanks, got the reports, will check them out.

> 3. /M2Crypto/SSL/Connection.py:147:
DeprecationWarning: Old style callback, use cb_func(ok, store)
instead return m2.ssl_connect(self.ssl)
(Also reported, in Polish, here:
http://www.mail-archive.com/pl******.../msg12433.html)
Entered into Bugzilla as #7718.


This is actually intended. Once I figure out how to implement all the
functionality in the new way I'd like to remove the old way.
OK.
> 4. "close()" on an SSL socket that's just finished certificate
negotiation hangs, at least on Windows.

No known issues, but the ending of an SSL connection is a little grey
area to me so I wouldn't be surprised if there are some cases where we
shut down prematurely or too late. But I don't know why we'd hang.
I'll check that again.
>
> 1. X509.X509_name.__getattr__:
Field retrieval from X.509 name items with x509_name_by_nid
retrieves only first instance of field, not all instances.

Yes, I've been battling with this myself as well. OpenSSL provides
objects to get things as a list, but they are so weird I haven't yet
figured out a way to wrap them in Python so that you would actually be
able to get some values out.
I convert X509_name items to a list of tuples. Here's an example:

Server: [
('CN', 'www.apartmentsapart.com'),
('OU', 'Travel Services'),
('O', 'Niche Travel Ltd.'),
('L', 'Nicosia'),
('ST', 'Nicosia'),
('C', 'CY')]

That's straightforward.

But to do this I have to convert the X509_name item to a string, like this:

subjectstr = subject.as_text(flags=(m2.XN_FLAG_RFC2253 |
m2.ASN1_STRFLGS_UTF8_CONVERT) & ~m2.XN_FLAG_DUMP_UNKNOWN_FIELDS)

which yields a string of items like "L=Nicosia, OU=Travel Services", with
backslash escapes where necessary. (The default formatting does not
have proper escaping; it's just for debug use.) So I parse that,
obeying the escapes, and get out the tuples. This works OK, but
shouldn't be necessary. It's not something I need now, though.

Most things in X509 certificates map well to lists of tuples.
> 2. Unclear if M2Crypto's X.509 interface is UTF-8 compatible.
OpenSSL will return info in UTF-8 if you use the
ASN1_STRFLGS_UTF8_CONVERT flag on as_text, but unclear if the
M2 glue code handles this correctly. Haven't found a UTF8 cert
to test it on yet.


Yeah, I am not convinced everything works as it should. Any UTF8 (and
other encoding) samples would be welcome.
Looking for one. I think all that's needed is to recognize when
ASN1_STRFLGS_UTF8_CONVERT is set when converting to a Python string,
and convert to the appropriate form of Python string.

Just rediscovered bug #5277, "Support certificates with multiple DNS
names", which is fixed in 0.18. Looking forward to version 0.18.
If you want to test that, try to open "https://www.autumngalleryforthehome.com".

John Nagle

Jan 13 '07 #3

This discussion thread is closed

Replies have been disabled for this discussion.