Newbie question regarding SSL and certificate verification

G

geremy condra

Hi,

I am making a first large project in python and am having quite a bit of difficulty unscrambling various python versions and what they can/cannot do.. To wit, I must communicate with certain services via https and am required to perform  certificate verification on them.

The problem is that I also have to do this under CentOS 5.5 which only uses python 2.4 as its default -- this is not negotiable. As near as I can tell from reading various posts, the https client does not do verification and there is no low-level SSL  support to provide a workaround. Near as I can tell from reading, 2.6 does include this. Am I getting this right? Is there a simple way to do this? More to the point, I need to know pretty darn quick if this is impossible so we can try and plan for it.

So the quick question: Has anyone done certificate  verification using 2.4 and if so, how?

Thanks!

M2Crypto is the way to go here. I think there's an example on their site.

Geremy Condra
 
J

John Nagle

M2Crypto is the way to go here. I think there's an example on their
site.

M2Crypto does that job quite well. Installing M2Crypto tends to be
painful if you have to build it, though. See if you can find a pre-
built version.

You then need a "cacert.pem" file, with the root certificates you're
going to trust. You can get one from

http://curl.haxx.se/docs/caextract.html

which converts Mozilla's format to a .pem file once a week.
The actual Mozilla source file is at

http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt

but M2Crypto needs it in .pem format.

The new Python SSL module in 2.6 and later has a huge built-in
security hole - it doesn't verify the domain against the
certificate. As someone else put it, this means "you get to
talk securely with your attacker." As long as the site or proxy
has some valid SSL cert, any valid SSL cert copied from anywhere,
the new Python SSL module will tell you everything is just fine.

John Nagle
 
D

David Robinow

...
A final question -- how widely is M2Crypto used? Since I will have to now pitch to our group that this is preferable the first questions they will ask are about stability, who is using it and how secure is it really, especially since it is at version 0.20.2 (i.e. no major release yet).

I know very little about security, but one thing I think I know. Never
use security software version 1.0 or greater. It was written by an
author insufficiently paranoid.
 
J

John Nagle

Did anything ever come of the discussion that you and Antoine had?

Geremy Condra

PS- the quote is due to Justin Samuel

I had to write my own domain check. Did anyone re-open the
bug report on that issue?

John Nagle
 
G

geremy condra

As I wrote in http://bugs.python.org/issue1589, I would support adding
the necessary function(s) to the SSL module, and have urllib (and other
stdlib modules) support them. Someone needs to write a patch, though.

Regards

Antoine.

Hmm, my understanding at the time was that there had been a decision
to just adapt Heikki Toivonen's M2Crypto code, if that's just looking
for someone to turn it into a patch I'll see if I can't find the time
next week.

Geremy Condra
 
G

Gregory Ewing

David said:
Never
use security software version 1.0 or greater. It was written by an
author insufficiently paranoid.

Hmmm. So to get people to trust your security software, you
should start with version 0.0 and increment by 0.0000001
for each release. :)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,982
Messages
2,570,185
Members
46,737
Latest member
Georgeengab

Latest Threads

Top