By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
459,725 Members | 1,209 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 459,725 IT Pros & Developers. It's quick & easy.

Re: urllib getting SSL certificate info

P: n/a
Ghirai wrote:
Using urllib, is there any way i could access some info about the SSL
certificate (when opening a https url)?

I'm really interested in the fingerprint.

I haven't been able to find anything so far.
you can get some info via (undocumented?) attributes on the file handle:
>>import urllib
f = urllib.urlopen("https://mail.google.com/")
f.fp
<httplib.SSLFile instance at 0x00CE2508>
['issuer', 'read', 'server', 'write']
>>f.fp._ssl.issuer()
'/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA'
>>f.fp._ssl.server()
'/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com'

</F>

Aug 16 '08 #1
Share this Question
Share on Google+
3 Replies


P: n/a
Fredrik Lundh wrote:
Ghirai wrote:
>Using urllib, is there any way i could access some info about the SSL
certificate (when opening a https url)?

I'm really interested in the fingerprint.

I haven't been able to find anything so far.

you can get some info via (undocumented?) attributes on the file handle:
>>import urllib
>>f = urllib.urlopen("https://mail.google.com/")
>>f.fp
<httplib.SSLFile instance at 0x00CE2508>
['issuer', 'read', 'server', 'write']
>>f.fp._ssl.issuer()
'/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA'
>>f.fp._ssl.server()
'/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com'

</F>
If you really need details from the SSL cert, you usually have to use
M2Crypto. The base SSL package doesn't actually do much with certificates.
It doesn't validate the certificate chain. And those strings of
attributes you can get are ambiguious; data fields may contain unescaped
"/", which is the field separator. I went through this last year and
had to use M2Crypto, which is something of a headache but more or less works.

John Nagle
Aug 17 '08 #2

P: n/a
On Sunday 17 August 2008 20:15:47 John Nagle wrote:
If you really need details from the SSL cert, you usually have to use
M2Crypto. The base SSL package doesn't actually do much with certificates.
It doesn't validate the certificate chain. And those strings of
attributes you can get are ambiguious; data fields may contain unescaped
"/", which is the field separator. I went through this last year and
had to use M2Crypto, which is something of a headache but more or less
works.

John Nagle
Would you mind sharing some code? The module is pretty ugly and on top has no
docs whatsoever; got tired of reading the source...

Thanks.

--
Regards,
Ghirai.
Aug 19 '08 #3

P: n/a
Ghirai wrote:
Would you mind sharing some code? The module is pretty ugly and on top has no
docs whatsoever; got tired of reading the source...
Did you find out the right homepage at
http://chandlerproject.org/Projects/MeTooCrypto? The original author,
ngps, hasn't been involved in the project for years, yet for some reason
his page still comes up first when you search with Google.

The real M2Crypto homepage includes a short SSL howto. In there is a 5
line sample client script. But here is the equivalent of what JP wrote
in M2Crypto:

from M2Crypto import SSL
ctx = SSL.Context('sslv3')
# If you comment out these lines, the connection won't be secure
#ctx.set_verify(SSL.verify_peer | SSL.verify_fail_if_no_peer_cert, depth=9)
#if ctx.load_verify_locations('ca.pem') != 1: raise Exception('No CA certs')
c = SSL.Connection(ctx)
c.connect(('www.google.com', 443)) # automatically checks cert matches host
c.send('GET / HTTP/1.1\r\n\r\n')
cert = c.get_peer_cert()
print cert.get_issuer() # actually returns X509_Name object
print cert.get_subject() # actually returns X509_Name object

I should point out that M2Crypto really tries to make things safe by
default. For example with SSL, you will have to explicitly request weak
crypto to get SSLv2 and weak ciphers, and by default in client mode it
will check that the certificate hostname matches the hostname you tried
to connect to. You can override these if you want. The examples
typically show how to do things the safe way.

M2Crypto has over 200 unit tests, which I think offer a reasonable way
of checking how to use the API.

You can generate the M2Crypto API documentation yourself, but it is
pretty minimal. I'll see if I can find some cycles to flesh it out.
pyOpenSSL has the API documentation online, arguably in a nicer format
even, but there doesn't seem to be much more of it IMO. Both M2Crypto
and pyOpenSSL recommend you to go read the OpenSSL documentation since
most things are pretty thin wrappers around OpenSSL. But really, for
anyone doing any serious SSL development using OpenSSL or any OpenSSL
wrappers I recommend you go read "Network Security with OpenSSL" by John
Viega, Matt Messier and Pravir Chandra, ISBN 059600270X.

But just for your viewing pleasure, I just generated the M2Crypto API
documentation and put a link to it from the M2Crypto homepage:
http://chandlerproject.org/Projects/MeTooCrypto

--
Heikki Toivonen - http://www.heikkitoivonen.net
Aug 20 '08 #4

This discussion thread is closed

Replies have been disabled for this discussion.