Using HTTPSConnection and verifying server's CRT

[Marc Poulhiès]

Marc Poulhiès <marc.poulhies at NO-SP4Mepfl.ch> writes:

> ngps at netmemetic.com (Ng Pheng Siong) writes:

>> M2Crypto does server cert verification. With M2Crypto's httpslib, you pass
>> in an SSL.Context instance to the HTTPSConnection constructor to configure
>> the SSL; one of the config knobs is cert verification. So, redo your test,
>> satisfy yourself that this is doable, and send me your code to include as
>> an example in the distribution. ;-)

Hi again!

So here are few lines that do server's CRT check. I still have one
question: see in the code. Both have the exact same description on
the documentation.

Btw, thanks for your answer (this will save me from using Perl!)
 Marc

---8<-------8<-------8<-------8<----
#!/usr/bin/env python
import M2Crypto

ctx = M2Crypto.SSL.Context()

## what are the diff between these two??
#ctx.load_verify_info(cafile="/tmp/ca.crt")
ctx.load_verify_locations(cafile="/tmp/ca.crt")

# load client certificate (used to authenticate the client)
ctx.load_cert("/tmp/client.crt")

# stop if peer's certificate can't be verified
ctx.set_allow_unknown_ca(False)

# verify peer's certificate
ctx.set_verify(M2Crypto.SSL.verify_peer, 1)

con = M2Crypto.httpslib.HTTPSConnection("my.ssl.server.domain",ssl_context=ctx)

con.request("GET" , "/")
print con.getresponse().read()
---8<-------8<-------8<-------8<-----

Result here:
$ ./ssl_peer_verif.py 
Enter passphrase:
send: 'GET / HTTP/1.1\r\nHost: my.ssl.server.domain:443\r\nAccept-Encoding: identity\r\n\r\n'
reply: 'HTTP/1.1 200 OK\r\n'
header: Date: Tue, 01 Feb 2005 08:41:51 GMT
header: Server: Apache/2.0.46 (Red Hat)
header: Last-Modified: Mon, 31 Jan 2005 14:50:50 GMT
header: ETag: "4297-13-24658680"
header: Accept-Ranges: bytes
header: Content-Length: 19
header: Connection: close
header: Content-Type: text/html; charset=UTF-8
THIS IS WORKING =)