Also specify some root certificates to use in verifying the peer's
certificate. Certificate verification works by proceeding from a
collection of "root" certificates which are explicitly trusted. These
are used to sign other certificates (which may in turn be used to sign
others, which in turn...). The process of certificate verification is
the process of following the signatures from the certificate in use by
the server you connect to back up the chain until you reach a root
which you have either decided to trust or not. If the signatures are
all valid and the root is one you trust, then you have established a
connection to a trusted entity. If any signature is invalid, or the
root is not one you trust, then you have not.
The root certificates are also called the "ca certificates" or
"certificate authority certificates". `wrap_socket` accepts a
`ca_certs` argument. Seehttp://docs.python.org/library/ssl.html#ssl-certificates
for details about that argument.
Hi Jean-Paul, i thought that with self-signed certificate i shouldn't
use ca_certs option. Now, i've created a ca-authority and i use this
command:
self.sock = ssl.wrap_socket(sock, certfile = "ca/certs/
myfriend.cert.pem", keyfile = "ca/private/myfriend.key.pem",
ca_certs="/home/andrea/ca/certs/cacert.pem",
cert_reqs=ssl.CERT_REQUIRED)
When i use the some machine as client-server it works, but, when i use
another machine as client, i've this:
Traceback (most recent call last):
File "loginsender.py", line 48, in <module>
handle = url_opener.open('
https://debian.andrea.it:10700/%s+%s'%
(DATA,IPIN))
File "/usr/lib/python2.6/urllib2.py", line 391, in open
response = self._open(req, data)
File "/usr/lib/python2.6/urllib2.py", line 409, in _open
'_open', req)
File "/usr/lib/python2.6/urllib2.py", line 369, in _call_chain
result = func(*args)
File "loginsender.py", line 33, in https_open
return self.do_open(self.specialized_conn_class, req)
File "/usr/lib/python2.6/urllib2.py", line 1145, in do_open
raise URLError(err)
urllib2.URLError: <urlopen error [Errno 185090050] _ssl.c:328: error:
0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib>
I see that i should create a certificate with server, client and ca
autority, but i haven't clear the ca_certs option and which path i
should use.
Have you any suggestion?