Getting SSL certificate

Stuart D. Gathman stuart at bmsi.com
Sat Nov 9 23:27:24 EST 2002 

On Sat, 09 Nov 2002 01:56:59 -0500, Martin v. Loewis wrote:

>> That would make sense, but the docs say that checking the server
>> certificate is not implemented.
> 
> Did you try? Python passes the cert_file argument to
> SSL_CTX_use_certificate_chain_file. It might be a problem that Python
> never calls SSL_get_verify_result, though (but then, I understand that
> the default verify callback will return preverify_ok, so if the server
> certificate could not be verified, the TLS handshake will be
> terminated).

Tying doesn't tell me whether the cert was actually checked.  I don't get
any errors, however, poking around in the C source for socketmodule.c, I
find for opening an SSL connection:

        if (key_file) {
                if (SSL_CTX_use_PrivateKey_file(self->ctx, key_file,
                                                SSL_FILETYPE_PEM) < 1) {
                        errstr = "SSL_CTX_use_PrivateKey_file error";
                        goto fail;
                }

                if (SSL_CTX_use_certificate_chain_file(self->ctx,
                                                       cert_file) < 1) {
                        errstr = "SSL_CTX_use_certificate_chain_file error";
                        goto fail;
                }
        }

        SSL_CTX_set_verify(self->ctx,
                           SSL_VERIFY_NONE, NULL); /* set verify lvl */
        self->ssl = SSL_new(self->ctx); /* New ssl struct */
        SSL_set_fd(self->ssl, Sock->sock_fd);   /* Set the socket for SSL */
        SSL_set_connect_state(self->ssl);
        /* Actually negotiate SSL connection */
        /* XXX If SSL_connect() returns 0, it's also a failure. */
        ret = SSL_connect(self->ssl);

And the openssl docs have this to say about SSL_VERIFY_NONE:

       SSL_VERIFY_NONE
           Server mode: the server will not send a client
           certificate request to the client, so the client will
           not send a certificate.

           Client mode: if not using an anonymous cipher (by
           default disabled), the server will send a certificate
           which will be checked. The result of the certificate
           verification process can be checked after the TLS/SSL
           handshake using the SSL_get_verify_result(3) function.
           The handshake will be continued regardless of the
           verification result.

socketmodule.c never calls SSL_get_verify_result()

It seems that the docs are correct.  The certificate is not validated and
I could be talking to anybody or their dog.
  Furthermore, while the
server and issuer are exposed through undocumented attributes, the
server_cert is not.  So there is no way to validate the cert manually,
short of rewriting socketmodule.c.  This is one case where the batteries
included have been sitting on the shelf too long.

If only the server_cert were available, validating it is not too much
work.  There is an external 'verify' program supplied with openssl that
does most of the work for you.

-- 
	      Stuart D. Gathman <stuart at bmsi.com>
Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

More information about the Python-list mailing list