client ssl verification

Discussion in 'Python' started by Robin Becker, Mar 15, 2012.

  1. Robin Becker

    Robin Becker Guest

    I'm trying to do client ssl verification with code that looks like the sample
    below. I am able to reach and read urls that are secure and have no client
    certificate requirement OK. If I set explicit_check to True then verbose output
    indicates that the server certs are being checked fine ie I see the correct cert
    details and am able to check them.

    However, when I try to reach an apache location like

    <Location /media/secret>
    sslverifyclient require
    sslverifydepth 10
    </Location>

    I am getting an error from urllib2 that goes like this

    urllib2.py", line 1148, in do_open
    raise URLError(err)
    URLError: <urlopen error [Errno 1] _ssl.c:1347: error:14094418:SSL
    routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

    I am using the server.crt and server.key (both in PEM format) from the target
    server itself; I reasoned that should be the easiest combo for the client &
    server to match, but I am obviously wrong. Any obvious stupidities to be pointed
    out? I suppose I could create a new cert/key based on a self signed ca, but that
    would not work properly for the other parts of the server.

    > import socket, ssl, fnmatch, datetime, urllib2, httplib
    > verbose=False
    >
    > # wraps https connections with ssl certificate verification
    > class SecuredHTTPSHandler(urllib2.HTTPSHandler):
    > def __init__(self,key_file=None,cert_file=None,ca_certs=None,explicit_check=False):
    > class SecuredHTTPSConnection(httplib.HTTPSConnection):
    > def connect(self):
    > # overrides the version in httplib so that we do
    > # certificate verification
    > sock = socket.create_connection((self.host, self.port), self.timeout)
    > if self._tunnel_host:
    > self.sock = sock
    > self._tunnel()
    > # wrap the socket using verification with the root
    > # certs in ca_certs
    > if verbose:
    > print ca_certs, key_file, cert_file
    > self.sock = ssl.wrap_socket(sock,
    > cert_reqs=ssl.CERT_REQUIRED,
    > ca_certs=ca_certs,
    > keyfile=key_file,
    > certfile=cert_file,
    > )
    > if explicit_check:
    > cert = self.sock.getpeercert()
    > if verbose:
    > import pprint
    > pprint.pprint(cert)
    > for key,field in cert.iteritems():
    > if key=='subject':
    > sd = dict([x[0] for x in field])
    > certhost = sd.get('commonName')
    > if not fnmatch.fnmatch(self.host,certhost):
    > raise ssl.SSLError("Host name '%s' doesn't match certificate host '%s'"
    > % (self.host, certhost))
    > if verbose:
    > print 'matched "%s" to "%s"' % (self.host,certhost)
    > elif key=='notAfter':
    > now = datetime.datetime.now()
    > crttime = datetime.datetime.strptime(field,'%b %d %H:%M:%S %Y %Z')
    > if verbose:
    > print 'crttime=%s now=%s' % (crttime,now)
    > if now>=crttime:
    > raise ssl.SSLError("Host '%s' certificate expired on %s"
    > % (self.host, field))
    > self.specialized_conn_class = SecuredHTTPSConnection
    > urllib2.HTTPSHandler.__init__(self)
    >
    > def https_open(self, req):
    > return self.do_open(self.specialized_conn_class, req)
    >
    > def secureDataGet(uri,ca_certs='cacert.pem',key_file=None,cert_file=None, explicit_check=False):
    > https_handler = SecuredHTTPSHandler(key_file=key_file,cert_file=cert_file,
    > ca_certs=ca_certs,explicit_check=explicit_check)
    > url_opener = urllib2.build_opener(https_handler)
    > handle = url_opener.open(uri)
    > response = handle.readlines()
    > handle.close()
    > return response



    --
    Robin Becker
     
    Robin Becker, Mar 15, 2012
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Frankie
    Replies:
    0
    Views:
    341
    Frankie
    Sep 30, 2005
  2. Krzysztof Pa¼
    Replies:
    1
    Views:
    702
    Krzysztof Pa¼
    Sep 26, 2003
  3. geremy condra
    Replies:
    6
    Views:
    398
    Gregory Ewing
    Jul 30, 2010
  4. Replies:
    1
    Views:
    274
    Brian Candler
    May 16, 2007
  5. Replies:
    1
    Views:
    301
Loading...

Share This Page