client ssl verification


Robin Becker

I'm trying to do client ssl verification with code that looks like the sample
below. I am able to reach and read urls that are secure and have no client
certificate requirement OK. If I set explicit_check to True then verbose output
indicates that the server certs are being checked fine ie I see the correct cert
details and am able to check them.

However, when I try to reach an apache location like

<Location /media/secret>
sslverifyclient require
sslverifydepth 10

I am getting an error from urllib2 that goes like this", line 1148, in do_open
raise URLError(err)
URLError: <urlopen error [Errno 1] _ssl.c:1347: error:14094418:SSL
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

I am using the server.crt and server.key (both in PEM format) from the target
server itself; I reasoned that should be the easiest combo for the client &
server to match, but I am obviously wrong. Any obvious stupidities to be pointed
out? I suppose I could create a new cert/key based on a self signed ca, but that
would not work properly for the other parts of the server.
import socket, ssl, fnmatch, datetime, urllib2, httplib

# wraps https connections with ssl certificate verification
class SecuredHTTPSHandler(urllib2.HTTPSHandler):
def __init__(self,key_file=None,cert_file=None,ca_certs=None,explicit_check=False):
class SecuredHTTPSConnection(httplib.HTTPSConnection):
def connect(self):
# overrides the version in httplib so that we do
# certificate verification
sock = socket.create_connection((, self.port), self.timeout)
if self._tunnel_host:
self.sock = sock
# wrap the socket using verification with the root
# certs in ca_certs
if verbose:
print ca_certs, key_file, cert_file
self.sock = ssl.wrap_socket(sock,
if explicit_check:
cert = self.sock.getpeercert()
if verbose:
import pprint
for key,field in cert.iteritems():
if key=='subject':
sd = dict([x[0] for x in field])
certhost = sd.get('commonName')
if not fnmatch.fnmatch(,certhost):
raise ssl.SSLError("Host name '%s' doesn't match certificate host '%s'"
% (, certhost))
if verbose:
print 'matched "%s" to "%s"' % (,certhost)
elif key=='notAfter':
now =
crttime = datetime.datetime.strptime(field,'%b %d %H:%M:%S %Y %Z')
if verbose:
print 'crttime=%s now=%s' % (crttime,now)
if now>=crttime:
raise ssl.SSLError("Host '%s' certificate expired on %s"
% (, field))
self.specialized_conn_class = SecuredHTTPSConnection

def https_open(self, req):
return self.do_open(self.specialized_conn_class, req)

def secureDataGet(uri,ca_certs='cacert.pem',key_file=None,cert_file=None, explicit_check=False):
https_handler = SecuredHTTPSHandler(key_file=key_file,cert_file=cert_file,
url_opener = urllib2.build_opener(https_handler)
handle =
response = handle.readlines()
return response


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question