471,344 Members | 1,334 Online
Bytes | Software Development & Data Engineering Community
Post +

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 471,344 software developers and data experts.

Python and SSL

I need to use Python with SSL comunication betweeen servers.
(I use hhtplib but I think urllib2 can also be used )
I think I need to use SSL root certificate and tell a program to
trust this certificate.
But how can I tell my Python program to trust my SSL certificate?
When I tried before I received the error 503
Thank you for help
L,

Sep 28 '07 #1
28 6925
Johny wrote:
I need to use Python with SSL comunication betweeen servers.
(I use hhtplib but I think urllib2 can also be used )
I think I need to use SSL root certificate and tell a program to
trust this certificate.
You can't do secure SSL with the builtin SSL support, you need to use a
third party module. There are a few available, including M2Crypto, TLS
Lite, pyOpenSSL and pyOpenSSL-extended. Since I am the maintainer of
M2Crypto I will naturally recommend that ;)

http://chandlerproject.org/Projects/MeTooCrypto

--
Heikki Toivonen
Sep 28 '07 #2
I heard that python 2.6 will include full "server-side SSL
support" (whatever this means).
Is it true?

Sep 28 '07 #3
I need to use Python with SSL comunication betweeen servers.
(I use hhtplib but I think urllib2 can also be used )
I think I need to use SSL root certificate and tell a program to
trust this certificate.
I don't think so - what the SSL module does is already fine for you.
But how can I tell my Python program to trust my SSL certificate?
Why do you want to tell it that? The SSL module will trust *any*
server certificate, no need to tell it explicitly which ones to
trust.
When I tried before I received the error 503
That must be an independent error.

Regards,
Martin
Sep 28 '07 #4
I heard that python 2.6 will include full "server-side SSL
support" (whatever this means).
Is it true?
Yes, that's true.

Regards,
Martin
Sep 28 '07 #5
Heikki Toivonen wrote:
Johny wrote:
>I need to use Python with SSL comunication betweeen servers.
(I use hhtplib but I think urllib2 can also be used )
I think I need to use SSL root certificate and tell a program to
trust this certificate.

You can't do secure SSL with the builtin SSL support, you need to use a
third party module. There are a few available, including M2Crypto, TLS
Lite, pyOpenSSL and pyOpenSSL-extended. Since I am the maintainer of
M2Crypto I will naturally recommend that ;)

http://chandlerproject.org/Projects/MeTooCrypto
Any progress on getting M2Crypto 0.18 to build successfully
on Fedora Core?

John Nagle

Sep 29 '07 #6
"Martin v. Löwis" <ma****@v.loewis.dewrites:
But how can I tell my Python program to trust my SSL certificate?

Why do you want to tell it that? The SSL module will trust *any*
server certificate, no need to tell it explicitly which ones to
trust.
Er, the whole idea of SSL is that you don't trust the connection. So
failing to authenticate the other end is a security failure and SSL
should not be used that way. From RFC 4346:

Warning: Completely anonymous connections only provide protection
against passive eavesdropping. Unless an independent
tamper-proof channel is used to verify that the finished
messages were not replaced by an attacker, server
authentication is required in environments where active
man-in-the-middle attacks are a concern.

It's silly to worry about an eavesdropper being nosy enough to
intercept your data passively, but somehow still expect them to be
considerate enough to not use an MITM attack. Always use
authentication if it's worth bothering with cryptographic security at
all.

Another plan for server to server communication might be to use a VPN
rather than connection level SSL. That would simplify your
application programming if you can set up the encrypted network at
both ends.
Sep 29 '07 #7
>>But how can I tell my Python program to trust my SSL certificate?
>Why do you want to tell it that? The SSL module will trust *any*
server certificate, no need to tell it explicitly which ones to
trust.

Er, the whole idea of SSL is that you don't trust the connection.
Please try to understand that OP's question. He got some error,
and for some reason, he concluded that he needs to tell Python
to trust the server certificate (most likely to make the error
go away). I told him that he is likely wrong, and that Python already
trusts his server certificate. I was not proposing any judgment on
whether that's a good thing or not. In fact, I have no idea whether
security was of any concern to the OP.

Regards,
Martin
Sep 29 '07 #8
"Martin v. Löwis" <ma****@v.loewis.dewrites:
Please try to understand that OP's question. He got some error,
and for some reason, he concluded that he needs to tell Python
to trust the server certificate (most likely to make the error
go away). I told him that he is likely wrong, and that Python already
trusts his server certificate. I was not proposing any judgment on
whether that's a good thing or not. In fact, I have no idea whether
security was of any concern to the OP.
Oh, I see, I didn't interpret the question that way but it does fit
and the answer is reasonable in that situation.
Sep 29 '07 #9
Paul Rubin wrote:
"Martin v. Löwis" <ma****@v.loewis.dewrites:
>>But how can I tell my Python program to trust my SSL certificate?
Why do you want to tell it that? The SSL module will trust *any*
server certificate, no need to tell it explicitly which ones to
trust.

Er, the whole idea of SSL is that you don't trust the connection. So
failing to authenticate the other end is a security failure and SSL
should not be used that way. From RFC 4346:

Warning: Completely anonymous connections only provide protection
against passive eavesdropping. Unless an independent
tamper-proof channel is used to verify that the finished
messages were not replaced by an attacker, server
authentication is required in environments where active
man-in-the-middle attacks are a concern.
Right. The key point here is that Python's standard SSL module
doesn't actually check the validity of SSL certificates. It just
makes client connections without checking. It will happily connect
to sites offering totally bogus certificates, even ones with the wrong
domain name.

M2Crypto actually checks. M2Crypto has much better functionality,
but it's rather hard to build.

John Nagle
Sep 29 '07 #10
John Nagle wrote:
Any progress on getting M2Crypto 0.18 to build successfully
on Fedora Core?
I have had no luck getting a Fedora Core environment running. Ubuntu is
my main OS, but I do have VMWare installed. I tried to install FC7 from
the live CD into VMWare, but the installer dies. I also tried to
download a ready-made FC8t1 VMWare appliance, but it fails to boot. So
currently I am dead in the water.

--
Heikki Toivonen
Sep 30 '07 #11
On Sep 28, 11:13 pm, Heikki Toivonen <hei...@osafoundation.orgwrote:
Johny wrote:
I need to use Python with SSL comunication betweeen servers.
(I use hhtplib but I think urllib2 can also be used )
I think I need to use SSL root certificate and tell a program to
trust this certificate.

You can't do secure SSL with the builtin SSL support, you need to use a
third party module. There are a few available, including M2Crypto, TLS
Lite, pyOpenSSL and pyOpenSSL-extended. Since I am the maintainer
Thank you all for help
I probably put my question in a wrong way.
So again:
For the purpose of the application debugging I would like to know
how to add a new
certification authority to Python( so that my Python program will
accept that certificate).
By using my Python program I am attempting to trust a certificate
signed by a certification authority that Python doesn't trust and that
causes the error.
Thanks for help.
L.
Oct 1 '07 #12
Johny <py****@hope.czwrites:
By using my Python program I am attempting to trust a certificate
signed by a certification authority that Python doesn't trust and that
causes the error.
No, as Martin points out, Python trusts EVERY certificate, which of
course misses the whole point of certificates. Whatever is making
your program fail is something different.
Oct 1 '07 #13
On Oct 1, 4:31 pm, Paul Rubin <http://phr...@NOSPAM.invalidwrote:
Johny <pyt...@hope.czwrites:
By using my Python program I am attempting to trust a certificate
signed by a certification authority that Python doesn't trust and that
causes the error.

No, as Martin points out, Python trusts EVERY certificate, which of
course misses the whole point of certificates. Whatever is making
your program fail is something different.
Paul, are you sure for 100%. It is hard to belive.
In Java it is possible so I would expect that to be possible in Python
too.
L.
Oct 1 '07 #14
>No, as Martin points out, Python trusts EVERY certificate, which of
>course misses the whole point of certificates. Whatever is making
your program fail is something different.

Paul, are you sure for 100%. It is hard to belive.
Not sure how many confirmations you want, but I can add another one.
Paul is 100% correct. Python's SSL module, as shipped in Python 2.5.x
and earlier, performs no verification of the server certificate
whatsoever; it will silently accept any server certificate as correct.

Regards,
Martin
Oct 1 '07 #15
Martin v. Löwis wrote:
>>No, as Martin points out, Python trusts EVERY certificate, which of
course misses the whole point of certificates. Whatever is making
your program fail is something different.
Paul, are you sure for 100%. It is hard to belive.

Not sure how many confirmations you want, but I can add another one.
Paul is 100% correct. Python's SSL module, as shipped in Python 2.5.x
and earlier, performs no verification of the server certificate
whatsoever; it will silently accept any server certificate as correct.

Regards,
Martin
Actually, the SSL certificate has to be in valid format, because
OpenSSL does require that. But there's no verification of the certificate
chain in Python's SSL module; it doesn't matter who signed it. You can
create your own SSL certificates (there are tools for this) and Python's
SSL module will accept that.

If you have a site that won't open with Python's stock SSL module,
try opening it with a browser. If you get a warning message about the
certificate issuer not being validated, that's something Python will
ignore. If you can't open the site with HTTPS at all, even after bypassing
warning messages, then the certificate at the other end may be nonexistent
or invalid.

John Nagle
Oct 1 '07 #16
Actually, the SSL certificate has to be in valid format, because
OpenSSL does require that.
Sure. However, in the first message, the OP mentioned that he gets error
503. That tells me that the SSL connection had been established
successfully, and that he was actually seeing a HTTP error, not an SSL
one (unless he made up that error code, of course).

Regards,
Martin
Oct 1 '07 #17
Thank you all for your replies.
I am still a newbie with SSL issues but I found out that:
a certificate that is signed by OpenSSL's own CA( certification
authority), that is not recognized in the program's list of root CAs,
causes an exception to be raised.
(That is a different behaviour from the built-in SSL.)
So, my question again,
how can I add a certification to the list of root CAs?
Thanks for help
L.

Oct 3 '07 #18
a certificate that is signed by OpenSSL's own CA( certification
authority), that is not recognized in the program's list of root CAs,
causes an exception to be raised.
What is "the program"? What programming language is it written in?
What library does it use to maintain a list of root CAs, and what
code does it execute to find out that a certificate is not in this
list?

Are you sure this is related to Python at all?

Regards,
Martin
Oct 3 '07 #19
On Oct 3, 7:51 am, "Martin v. Löwis" <mar...@v.loewis.dewrote:
a certificate that is signed by OpenSSL's own CA( certification
authority), that is not recognized in the program's list of root CAs,
causes an exception to be raised.

What is "the program"? What programming language is it written in?
What library does it use to maintain a list of root CAs, and what
code does it execute to find out that a certificate is not in this
list?

Are you sure this is related to Python at all?
Martin,
Thank you for your reply.

It looks like this

MyPythonProgram --->Proxy---->Server
The proxy is written in Java. I want to use that proxy to see what my
Python program sends to server.
The proxy uses its own certificate and this certificate must be
trusted, I think, otherwise I receive an error.

If I use
InternetBrowser --->Proxy---->Server

browser asks me if the Proxy's certificate is trusted.If I reply YES,
than communication continues( I think browser adds this certificate
among trusted ones)

So, can you help, please?
Thanks.
L.

Oct 3 '07 #20
En Wed, 03 Oct 2007 04:32:04 -0300, Johny <py****@hope.czescribi�:
MyPythonProgram --->Proxy---->Server
The proxy is written in Java. I want to use that proxy to see what my
Python program sends to server.
The proxy uses its own certificate and this certificate must be
trusted, I think, otherwise I receive an error.

If I use
InternetBrowser --->Proxy---->Server

browser asks me if the Proxy's certificate is trusted.If I reply YES,
than communication continues( I think browser adds this certificate
among trusted ones)
Which OS?
Windows itself manages certificate storage. Control Panel, Internet
Options, Contents, Certificates. You can import your certificate there.

--
Gabriel Genellina

Oct 3 '07 #21
It looks like this
>
MyPythonProgram --->Proxy---->Server
The proxy is written in Java. I want to use that proxy to see what my
Python program sends to server.
The proxy uses its own certificate and this certificate must be
trusted, I think, otherwise I receive an error.
What error do you receive precisely? Please copy it literally from
the terminal, don't rephrase it.

Regards,
Martin
Oct 3 '07 #22
On Oct 3, 2:17 pm, "Martin v. Löwis" <mar...@v.loewis.dewrote:
It looks like this
MyPythonProgram --->Proxy---->Server
The proxy is written in Java. I want to use that proxy to see what my
Python program sends to server.
The proxy uses its own certificate and this certificate must be
trusted, I think, otherwise I receive an error.

What error do you receive precisely? Please copy it literally from
the terminal, don't rephrase it.
After I added certification, that the proxy uses, among those
Trusted Root Certification Authorities list,as
Gabriel described on Windows,

I receive
sslerror: (1, 'error:140770FC:SSL
routines:SSL23_GET_SERVER_HELLO:unknown protocol')
What does it mean?
Thanks.
L

Oct 3 '07 #23
After I added certification, that the proxy uses, among those
Trusted Root Certification Authorities list,as
Gabriel described on Windows,

I receive
sslerror: (1, 'error:140770FC:SSL
routines:SSL23_GET_SERVER_HELLO:unknown protocol')
What does it mean?
Technically, it means that OpenSSL does not support the version of
the SSL protocol that the proxy uses.

Practically, it more likely means that the proxy does not use SSL
at all at the port you are connecting to.

What host/port are you connecting to?

Regards,
Martin
Oct 3 '07 #24
Johny <py****@hope.czwrites:
On Oct 3, 2:17 pm, "Martin v. Löwis" <mar...@v.loewis.dewrote:
It looks like this
MyPythonProgram --->Proxy---->Server
You want MyPythonProgram being to be proxied by Proxy, using the HTTP
CONNECT method? (CONNECT is a way of asking the proxy to just shovel
encrypted SSL traffic from client to server) Python's standard library
doesn't provide support for that. While it's it's possible to do it,
httplib does not provide all the code to do it, and it's actually
quite awkward to do from e.g. urllib2.

The proxy is written in Java. I want to use that proxy to see what my
Python program sends to server.
Does the proxy have support for behaving as a "man-in-the-middle",
then (by giving the proxy the private key)? I think I've heard of
that being done for test purposes, but I don't know the details.
Seems rather odd.

An easier way is to print the traffic from your Python program.
[...]
After I added certification, that the proxy uses, among those
Trusted Root Certification Authorities list,as
Gabriel described on Windows,

I receive
sslerror: (1, 'error:140770FC:SSL
routines:SSL23_GET_SERVER_HELLO:unknown protocol')
What does it mean?
It means that it's trying to interpret SSL traffic as if it were HTTP
traffic. Look on ASPN Python Cookbook for a few recipes on HTTP
CONNECT (though ISTR I had to rework the one I looked at before it
worked for me). Ask if you get stuck.
John
Oct 3 '07 #25
Martin and John,
Thank you both for your replies
Must I have OpenSSL imported in my Python program?
So far I have been using only SSL support.
Built-in SSL support works OK if I connect from my Python program
directly to SSL server ( but not via proxy).
L.

Oct 4 '07 #26
Johny wrote:
Martin and John,
Thank you both for your replies
Must I have OpenSSL imported in my Python program?
So far I have been using only SSL support.
Built-in SSL support works OK if I connect from my Python program
directly to SSL server ( but not via proxy).
L.
SSL isn't SUPPOSED to work through proxies. That's the whole point of
SSL - to prevent somebody in the middle from tapping into the connection.
Look up "man in the middle attack".

John Nagle
Oct 5 '07 #27
On Oct 5, 3:50 am, John Nagle <na...@animats.comwrote:
Johny wrote:
Martin and John,
Thank you both for your replies
Must I have OpenSSL imported in my Python program?
So far I have been using only SSL support.
Built-in SSL support works OK if I connect from my Python program
directly to SSL server ( but not via proxy).
L.

SSL isn't SUPPOSED to work through proxies. That's the whole point of
SSL - to prevent somebody in the middle from tapping into the connection.
Look up "man in the middle attack".

John,
SSL may not be SUPPOSED to work through proxies but it CAN work.
JAVA is an example. But I would like to use Python instead of Java.
And because I have not been able to make it I asked here about
OpenSSL.
Regards,
L.

Oct 5 '07 #28
On Oct 5, 2:50 am, John Nagle <na...@animats.comwrote:
Johny wrote:
Martin and John,
Thank you both for your replies
Must I have OpenSSL imported in my Python program?
So far I have been using only SSL support.
Built-in SSL support works OK if I connect from my Python program
directly to SSL server ( but not via proxy).
L.

SSL isn't SUPPOSED to work through proxies. That's the whole point of
SSL - to prevent somebody in the middle from tapping into the connection.
Look up "man in the middle attack".
I'm afraid this is complete rubbish - using a proxy with SSL is fine.
The only
issue is that the built in python SSL support doesn't work with
proxies. There
are a number of ways of adding support though eg.
http://aspn.activestate.com/ASPN/Coo.../Recipe/456195
One thing to note is that python's built in SSL support does not
validate the
server certicate and is therefore vulnerable to MITM attacks
irrespective
of whether a proxy is in use or not. If you want real security then
you need
to use something like PyOpenSSL or M2Crypto and a certificate store
with your
root CAs.

Rich.

Oct 5 '07 #29

This discussion thread is closed

Replies have been disabled for this discussion.

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.