[Cryptography-dev] Adding set_cert_store to pyOpenSSL
Barry Scott
barry.scott at forcepoint.com
Wed Oct 14 05:52:24 EDT 2020
In an app that uses twisted that uses pyOpenSSL I found that
to it takes 1s CPU bound to setup a TLS session because the
twisted code copies the trust store into the context one cert
at a time.
I'm using openssl-1.1.1g and python 2.7.18 (yes I know...).
Here is the function in twisted that causes the 1s CPU bound loop:
class OpenSSLCertificateAuthorities(object):
def __init__(self, caCerts):
self._caCerts = caCerts
def _addCACertsToContext(self, context):
store = context.get_cert_store()
for cert in self._caCerts:
store.add_cert(cert)
The obvious way to fix this is to setup the X509Store at app
startup with the trusted certs. Then set that store on the context.
The new code would be:
class OpenSSLCertificateAuthorities(object):
def __init__(self, caCerts):
self._caCerts = caCerts
self._store = X509Store()
for cert in self._caCerts:
self._store.add_cert(cert)
def _addCACertsToContext(self, context):
context.set_cert_store(self._store)
And the patch to pyOpenSSL is:
--- tmp1/pyopenssl-19.1.0/src/OpenSSL/SSL.py 2019-11-18 04:47:22.000000000 +0000
+++ tmp2/pyopenssl-19.1.0/src/OpenSSL/SSL.py 2020-10-13 15:11:02.255560148 +0100
@@ -1357,6 +1357,14 @@
pystore._store = store
return pystore
+ def set_cert_store(self, store):
+ """
+ Set the certificate store for the context.
+
+ :store: A X509Store object or None if it does not have one.
+ """
+ _lib.SSL_CTX_set_cert_store(self._context, store)
+
def set_options(self, options):
"""
Add options. Options set before are not cleared!
But I see this exception:
File "ngtls_context_set.py", line 107, in _addCACertsToContext
context.set_cert_store(self._store)
File "/usr/local/lib/python2.7/site-packages/OpenSSL/SSL.py", line 1366, in set_cert_store
_lib.SSL_CTX_set_cert_store(self._context, store)
TypeError: initializer for ctype 'X509_STORE *' must be a cdata pointer, not X509Store
My searching has not lead me to a way to get a cdata pointer fpr X509Store.
What do I need to do to get set_cert_store working?
Barry
More information about the Cryptography-dev
mailing list