473,320 Members | 2,180 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

Re: urllib getting SSL certificate info

Ghirai wrote:
Using urllib, is there any way i could access some info about the SSL
certificate (when opening a https url)?

I'm really interested in the fingerprint.

I haven't been able to find anything so far.
you can get some info via (undocumented?) attributes on the file handle:
>>import urllib
f = urllib.urlopen("https://mail.google.com/")
f.fp
<httplib.SSLFile instance at 0x00CE2508>
['issuer', 'read', 'server', 'write']
>>f.fp._ssl.issuer()
'/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA'
>>f.fp._ssl.server()
'/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com'

</F>

Aug 16 '08 #1
3 6433
Fredrik Lundh wrote:
Ghirai wrote:
>Using urllib, is there any way i could access some info about the SSL
certificate (when opening a https url)?

I'm really interested in the fingerprint.

I haven't been able to find anything so far.

you can get some info via (undocumented?) attributes on the file handle:
>>import urllib
>>f = urllib.urlopen("https://mail.google.com/")
>>f.fp
<httplib.SSLFile instance at 0x00CE2508>
['issuer', 'read', 'server', 'write']
>>f.fp._ssl.issuer()
'/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA'
>>f.fp._ssl.server()
'/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com'

</F>
If you really need details from the SSL cert, you usually have to use
M2Crypto. The base SSL package doesn't actually do much with certificates.
It doesn't validate the certificate chain. And those strings of
attributes you can get are ambiguious; data fields may contain unescaped
"/", which is the field separator. I went through this last year and
had to use M2Crypto, which is something of a headache but more or less works.

John Nagle
Aug 17 '08 #2
On Sunday 17 August 2008 20:15:47 John Nagle wrote:
If you really need details from the SSL cert, you usually have to use
M2Crypto. The base SSL package doesn't actually do much with certificates.
It doesn't validate the certificate chain. And those strings of
attributes you can get are ambiguious; data fields may contain unescaped
"/", which is the field separator. I went through this last year and
had to use M2Crypto, which is something of a headache but more or less
works.

John Nagle
Would you mind sharing some code? The module is pretty ugly and on top has no
docs whatsoever; got tired of reading the source...

Thanks.

--
Regards,
Ghirai.
Aug 19 '08 #3
Ghirai wrote:
Would you mind sharing some code? The module is pretty ugly and on top has no
docs whatsoever; got tired of reading the source...
Did you find out the right homepage at
http://chandlerproject.org/Projects/MeTooCrypto? The original author,
ngps, hasn't been involved in the project for years, yet for some reason
his page still comes up first when you search with Google.

The real M2Crypto homepage includes a short SSL howto. In there is a 5
line sample client script. But here is the equivalent of what JP wrote
in M2Crypto:

from M2Crypto import SSL
ctx = SSL.Context('sslv3')
# If you comment out these lines, the connection won't be secure
#ctx.set_verify(SSL.verify_peer | SSL.verify_fail_if_no_peer_cert, depth=9)
#if ctx.load_verify_locations('ca.pem') != 1: raise Exception('No CA certs')
c = SSL.Connection(ctx)
c.connect(('www.google.com', 443)) # automatically checks cert matches host
c.send('GET / HTTP/1.1\r\n\r\n')
cert = c.get_peer_cert()
print cert.get_issuer() # actually returns X509_Name object
print cert.get_subject() # actually returns X509_Name object

I should point out that M2Crypto really tries to make things safe by
default. For example with SSL, you will have to explicitly request weak
crypto to get SSLv2 and weak ciphers, and by default in client mode it
will check that the certificate hostname matches the hostname you tried
to connect to. You can override these if you want. The examples
typically show how to do things the safe way.

M2Crypto has over 200 unit tests, which I think offer a reasonable way
of checking how to use the API.

You can generate the M2Crypto API documentation yourself, but it is
pretty minimal. I'll see if I can find some cycles to flesh it out.
pyOpenSSL has the API documentation online, arguably in a nicer format
even, but there doesn't seem to be much more of it IMO. Both M2Crypto
and pyOpenSSL recommend you to go read the OpenSSL documentation since
most things are pretty thin wrappers around OpenSSL. But really, for
anyone doing any serious SSL development using OpenSSL or any OpenSSL
wrappers I recommend you go read "Network Security with OpenSSL" by John
Viega, Matt Messier and Pravir Chandra, ISBN 059600270X.

But just for your viewing pleasure, I just generated the M2Crypto API
documentation and put a link to it from the M2Crypto homepage:
http://chandlerproject.org/Projects/MeTooCrypto

--
Heikki Toivonen - http://www.heikkitoivonen.net
Aug 20 '08 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

4
by: Gary Feldman | last post by:
I think I've found a deficiency in the design of urllib related to https. In order to complete an https connection, it appears that URLOpener and hence FancyURLOpener require the key and cert...
4
by: Richard Shea | last post by:
Hi - I'm new to Python. I've been trying to use URLLIB and the 'tidy' function (part of the mx.tidy package). There's one thing I'm having real difficulties understanding. When I did this ... ...
11
by: John Nagle | last post by:
The Python SSL object offers two methods from obtaining the info from an SSL certificate, "server()" and "issuer()". The actual values in the certificate are a series of name/value pairs in ASN.1...
5
by: Tom | last post by:
I have a function that restricts access to a page to logged in users. When a user who isn't logged in goes to the page, it will dynamically generate a login form. I'm trying to use it in...
5
by: John Nagle | last post by:
I thought I had all the timeout problems with urllib worked around, but no. socket.setdefaulttimeout is useful, but not always effective. I'm setting that to 15 seconds. If the host end won't...
7
by: moconno5 | last post by:
Hello, I am attempting to write a Python module to access a website and upload batched files I have created, but I'm not getting it to work properly. I want to be able to upload my file, and then...
5
by: chrispoliquin | last post by:
Hi, I have a small Python script to fetch some pages from the internet. There are a lot of pages and I am looping through them and then downloading the page using urlretrieve() in the urllib...
0
by: Ghirai | last post by:
Hello list, Using urllib, is there any way i could access some info about the SSL certificate (when opening a https url)? I'm really interested in the fingerprint. I haven't been able to...
0
by: Ghirai | last post by:
On Saturday 16 August 2008 12:16:14 Fredrik Lundh wrote: Thanks, that seems to be getting me very close of what i need. -- Regards, Ghirai.
0
by: DolphinDB | last post by:
The formulas of 101 quantitative trading alphas used by WorldQuant were presented in the paper 101 Formulaic Alphas. However, some formulas are complex, leading to challenges in calculation. Take...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
0
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.