Using HTTPSConnection and verifying server's CRT

  • Thread starter =?iso-8859-1?Q?Marc_Poulhi=E8s?=
  • Start date
?

=?iso-8859-1?Q?Marc_Poulhi=E8s?=

Hi,

I'm trying to build a system using HTTPS with python clients that have
to verify the server's identity. From the Python document, it seems that
the server's certificate is not veryfied, and authentication can only be
in the other way (client authentication).
I know usually users only click on 'yes I trust this certificate', but
what if you really care (this is my case)?

I tried to see if the M2Crypto has this possibility, but from my tests
and from what I can find on the website, it seems not :/

Can someone confirm me this is not possible or point me to something
that could help me?

Thanks,
Marc
 
N

Ng Pheng Siong

According to Marc Poulhiès said:
I tried to see if the M2Crypto has this possibility, but from my tests
and from what I can find on the website, it seems not :/

How did you test and where on the website does it say not?
Can someone confirm me this is not possible or point me to something
that could help me?

M2Crypto does server cert verification. With M2Crypto's httpslib, you pass
in an SSL.Context instance to the HTTPSConnection constructor to configure
the SSL; one of the config knobs is cert verification. So, redo your test,
satisfy yourself that this is doable, and send me your code to include as
an example in the distribution. ;-)

M2Crypto even does client certs. Since Apr 2000, according to the very last
blog entry on the ZServerSSL page.
 
?

=?iso-8859-1?Q?Marc_Poulhi=E8s?=

(e-mail address removed) (Ng Pheng Siong) writes:

Hi,
How did you test and where on the website does it say not?

I did things like this:
con = M2Crypto.httpslib.HTTPSConnection("some_secure_server")
con.request("GET" , "/")

I tried to play with optional parameters (strict, debuglevel, etc) to
see if it was saying that it will not check server's CRT or some other
debug message dealing with server's certificate, but it is always
returning the webpage without saying anything :)

I did not say that M2C's doc stated clearly that this was not possible
(that's why I wrote "seems"), but I couldn't find something stating it
was possible (I tried google, API docs).
M2Crypto does server cert verification. With M2Crypto's httpslib, you pass
in an SSL.Context instance to the HTTPSConnection constructor to configure
the SSL; one of the config knobs is cert verification. So, redo your test,
satisfy yourself that this is doable, and send me your code to include as
an example in the distribution. ;-)

Ok, sorry for that. Maybe that with more readings I could have spotted
this. I'll try that tomorrow and give my code if I have something
working!

M2Crypto even does client certs. Since Apr 2000, according to the very last
blog entry on the ZServerSSL page.

Yes, I did try this and have my client authenticated to the server.

Thanks for this quick and clear answer ;)

Marc
 
?

=?iso-8859-1?Q?Marc_Poulhi=E8s?=

Marc Poulhiès said:
(e-mail address removed) (Ng Pheng Siong) writes:

Hi again!

So here are few lines that do server's CRT check. I still have one
question: see in the code. Both have the exact same description on
the documentation.

Btw, thanks for your answer (this will save me from using Perl!)
Marc

---8<-------8<-------8<-------8<----
#!/usr/bin/env python
import M2Crypto

ctx = M2Crypto.SSL.Context()

## what are the diff between these two??
#ctx.load_verify_info(cafile="/tmp/ca.crt")
ctx.load_verify_locations(cafile="/tmp/ca.crt")

# load client certificate (used to authenticate the client)
ctx.load_cert("/tmp/client.crt")

# stop if peer's certificate can't be verified
ctx.set_allow_unknown_ca(False)

# verify peer's certificate
ctx.set_verify(M2Crypto.SSL.verify_peer, 1)

con = M2Crypto.httpslib.HTTPSConnection("my.ssl.server.domain",ssl_context=ctx)

con.request("GET" , "/")
print con.getresponse().read()
---8<-------8<-------8<-------8<-----

Result here:
$ ./ssl_peer_verif.py
Enter passphrase:
send: 'GET / HTTP/1.1\r\nHost: my.ssl.server.domain:443\r\nAccept-Encoding: identity\r\n\r\n'
reply: 'HTTP/1.1 200 OK\r\n'
header: Date: Tue, 01 Feb 2005 08:41:51 GMT
header: Server: Apache/2.0.46 (Red Hat)
header: Last-Modified: Mon, 31 Jan 2005 14:50:50 GMT
header: ETag: "4297-13-24658680"
header: Accept-Ranges: bytes
header: Content-Length: 19
header: Connection: close
header: Content-Type: text/html; charset=UTF-8
THIS IS WORKING =)
 
N

Ng Pheng Siong

According to Marc Poulhiès said:
Btw, thanks for your answer (this will save me from using Perl!)

You're welcome.
## what are the diff between these two??
#ctx.load_verify_info(cafile="/tmp/ca.crt")
ctx.load_verify_locations(cafile="/tmp/ca.crt")

None. One is an alias for the other, to adhere to OpenSSL's naming
convention.
$ ./ssl_peer_verif.py
Enter passphrase:
send: 'GET / HTTP/1.1\r\nHost:
my.ssl.server.domain:443\r\nAccept-Encoding: identity\r\n\r\n'
reply: 'HTTP/1.1 200 OK\r\n'
header: Date: Tue, 01 Feb 2005 08:41:51 GMT
header: Server: Apache/2.0.46 (Red Hat)
header: Last-Modified: Mon, 31 Jan 2005 14:50:50 GMT
header: ETag: "4297-13-24658680"
header: Accept-Ranges: bytes
header: Content-Length: 19
header: Connection: close
header: Content-Type: text/html; charset=UTF-8
THIS IS WORKING =)

Excellent! ;-)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top