More M2Crypto issues. Not big ones, though.

[John Nagle]

A list of small problems and bugs in the current M2Crypto:
I need to look at SSL certificates in some detail, so this
is all about the access functions for certificates.

Bugs:

1. Off by one error at "X509.get_ext_count()". Reports
eight extensions on a certificate that only has seven.
get_ext_at works for extensions 0..6, then returns
an undefined for the nonexistent #7.
Test against "https://www.verisign.com".
Entered into Bugzilla as #7717.

3. /M2Crypto/SSL/Connection.py:147:
DeprecationWarning: Old style callback, use cb_func(ok, store)
instead return m2.ssl_connect(self.ssl)
(Also reported, in Polish, here:
http://www.mail-archive.com/[email protected]/msg12433.html)
Entered into Bugzilla as #7718.

4. "close()" on an SSL socket that's just finished certificate
negotiation hangs, at least on Windows. "del" does not hang,
but I don't know if there's a leak problem.
Not enough info yet to file a bug report. I might be doing
something wrong there. Any known "close" issues?

Other issues:

1. X509.X509_name.__getattr__:
Field retrieval from X.509 name items with x509_name_by_nid
retrieves only first instance of field, not all instances.
Really should return a list. The same key is used more
than once very frequently; these keys aren't unique.
It's tempting to treat these things like a hash, but they
don't really work that way. As for simply iterating through
the name elements, there's no direct way to just get the
elements one at a time. X509_Name has an "entry_count"
method, but no way to get the Nth entry.

As a workaround, I'm converting the X508_name to a string with
subjectstr = peer.get_subject().as_text(
flags=(m2.XN_FLAG_RFC2253 | m2.ASN1_STRFLGS_UTF8_CONVERT)
& ~m2.XN_FLAG_DUMP_UNKNOWN_FIELDS) # in RFC2253 format
This is safely parseable. While the default format doesn't have
escapes around the delimiter characters, with these flags,
entries are comma-separated with backslash escapes where
necessary. This works, unlike the "server()" function in
Python's built-in SSL, which returns a debug format that
has the same characters as delimiters and text.

2. Unclear if M2Crypto's X.509 interface is UTF-8 compatible.
OpenSSL will return info in UTF-8 if you use the
ASN1_STRFLGS_UTF8_CONVERT flag on as_text, but unclear if the
M2 glue code handles this correctly. Haven't found a UTF8 cert
to test it on yet.

Other than that, I'm having relatively good results with M2Crypto.

John Nagle

 

[Heikki Toivonen]

A list of small problems and bugs in the current M2Crypto:
I need to look at SSL certificates in some detail, so this
is all about the access functions for certificates.

Thanks, got the reports, will check them out.

3. /M2Crypto/SSL/Connection.py:147:
DeprecationWarning: Old style callback, use cb_func(ok, store)
instead return m2.ssl_connect(self.ssl)
(Also reported, in Polish, here:
http://www.mail-archive.com/[email protected]/msg12433.html)
Entered into Bugzilla as #7718.

This is actually intended. Once I figure out how to implement all the
functionality in the new way I'd like to remove the old way.

4. "close()" on an SSL socket that's just finished certificate
negotiation hangs, at least on Windows. "del" does not hang,
but I don't know if there's a leak problem.
Not enough info yet to file a bug report. I might be doing
something wrong there. Any known "close" issues?

No known issues, but the ending of an SSL connection is a little grey
area to me so I wouldn't be surprised if there are some cases where we
shut down prematurely or too late. But I don't know why we'd hang.

1. X509.X509_name.__getattr__:
Field retrieval from X.509 name items with x509_name_by_nid
retrieves only first instance of field, not all instances.

Yes, I've been battling with this myself as well. OpenSSL provides
objects to get things as a list, but they are so weird I haven't yet
figured out a way to wrap them in Python so that you would actually be
able to get some values out.

2. Unclear if M2Crypto's X.509 interface is UTF-8 compatible.
OpenSSL will return info in UTF-8 if you use the
ASN1_STRFLGS_UTF8_CONVERT flag on as_text, but unclear if the
M2 glue code handles this correctly. Haven't found a UTF8 cert
to test it on yet.

Yeah, I am not convinced everything works as it should. Any UTF8 (and
other encoding) samples would be welcome.

Other than that, I'm having relatively good results with M2Crypto.

Glad to hear.

 

[John Nagle]

Thanks, got the reports, will check them out.




This is actually intended. Once I figure out how to implement all the
functionality in the new way I'd like to remove the old way.

OK.

No known issues, but the ending of an SSL connection is a little grey
area to me so I wouldn't be surprised if there are some cases where we
shut down prematurely or too late. But I don't know why we'd hang.

I'll check that again.

Yes, I've been battling with this myself as well. OpenSSL provides
objects to get things as a list, but they are so weird I haven't yet
figured out a way to wrap them in Python so that you would actually be
able to get some values out.

I convert X509_name items to a list of tuples. Here's an example:

Server: [
('CN', 'www.apartmentsapart.com'),
('OU', 'Travel Services'),
('O', 'Niche Travel Ltd.'),
('L', 'Nicosia'),
('ST', 'Nicosia'),
('C', 'CY')]

That's straightforward.

But to do this I have to convert the X509_name item to a string, like this:

subjectstr = subject.as_text(flags=(m2.XN_FLAG_RFC2253 |
m2.ASN1_STRFLGS_UTF8_CONVERT) & ~m2.XN_FLAG_DUMP_UNKNOWN_FIELDS)

which yields a string of items like "L=Nicosia, OU=Travel Services", with
backslash escapes where necessary. (The default formatting does not
have proper escaping; it's just for debug use.) So I parse that,
obeying the escapes, and get out the tuples. This works OK, but
shouldn't be necessary. It's not something I need now, though.

Most things in X509 certificates map well to lists of tuples.

Yeah, I am not convinced everything works as it should. Any UTF8 (and
other encoding) samples would be welcome.

Looking for one. I think all that's needed is to recognize when
ASN1_STRFLGS_UTF8_CONVERT is set when converting to a Python string,
and convert to the appropriate form of Python string.

Just rediscovered bug #5277, "Support certificates with multiple DNS
names", which is fixed in 0.18. Looking forward to version 0.18.
If you want to test that, try to open "https://www.autumngalleryforthehome.com".

John Nagle