[Cryptography-dev] Adding set_cert_store to pyOpenSSL

Barry Scott barry.scott at forcepoint.com
Wed Oct 14 05:52:24 EDT 2020 

In an app that uses twisted that uses pyOpenSSL I found that
to it takes 1s CPU bound to setup a TLS session because the
twisted code copies the trust store into the context one cert
at a time.

I'm using openssl-1.1.1g and python 2.7.18 (yes I know...).

Here is the function in twisted that causes the 1s CPU bound loop:

class OpenSSLCertificateAuthorities(object):
    def __init__(self, caCerts):
        self._caCerts = caCerts

    def _addCACertsToContext(self, context):
        store = context.get_cert_store()
        for cert in self._caCerts:
            store.add_cert(cert)

The obvious way to fix this is to setup the X509Store at app
startup with the trusted certs. Then set that store on the context.

The new code would be:

class OpenSSLCertificateAuthorities(object):
    def __init__(self, caCerts):
        self._caCerts = caCerts
        self._store = X509Store()
        for cert in self._caCerts:
            self._store.add_cert(cert)

    def _addCACertsToContext(self, context):
        context.set_cert_store(self._store)

And the patch to pyOpenSSL is:

--- tmp1/pyopenssl-19.1.0/src/OpenSSL/SSL.py    2019-11-18 04:47:22.000000000 +0000
+++ tmp2/pyopenssl-19.1.0/src/OpenSSL/SSL.py    2020-10-13 15:11:02.255560148 +0100
@@ -1357,6 +1357,14 @@
         pystore._store = store
         return pystore
 
+    def set_cert_store(self, store):
+        """
+        Set the certificate store for the context.
+
+        :store: A X509Store object or None if it does not have one.
+        """
+        _lib.SSL_CTX_set_cert_store(self._context, store)
+
     def set_options(self, options):
         """
         Add options. Options set before are not cleared!

But I see this exception:

  File "ngtls_context_set.py", line 107, in _addCACertsToContext
    context.set_cert_store(self._store)
  File "/usr/local/lib/python2.7/site-packages/OpenSSL/SSL.py", line 1366, in set_cert_store
    _lib.SSL_CTX_set_cert_store(self._context, store)
TypeError: initializer for ctype 'X509_STORE *' must be a cdata pointer, not X509Store

My searching has not lead me to a way to get a cdata pointer fpr X509Store.

What do I need to do to get set_cert_store working?

Barry

More information about the Cryptography-dev mailing list