SSL meta data
Jan Dries
jan.dries at dcube-resource.be
Mon Sep 25 15:42:37 EDT 2006
Paul Rubin wrote:
> "BerndWill" <bernd at ewill.de> writes:
>> I would love to read programmatically some information out of the
>> certificates itself (who signed it and what is the validation period, i.e.
>> meta data).
>>
>> Can someone please help me out here !?
>
> This is very cheesy but I sometimes I've just run the openssl command
> line utility with popen and read the output:
>
> openssl x509 -text -noout -in certfile
>
> will dump out the cert contents and you can parse it with regexps.
>
> The right way to do it is to make the appropriate m2crypto (or
> whatever) calls that parse the cert directly.
I'm not sure this is what the OP is looking for. Your method assumes the
certificate is on the local file system, while it seems to me he wants
to do an HTTPS request to one of their servers and obtain information
from the certificate installed there.
For doing that, cURL might be a good choice (either the command line
version (http://curl.haxx.se) or the python extension module PycURL
http://pycurl.sourceforge.net/)).
For instance:
C:\> curl -v https://www.paypal.com
* About to connect() to www.paypal.com port 443
* Trying 216.113.188.65... * connected
* Connected to www.paypal.com (216.113.188.65) port 443
* successfully set certificate verify locations:
* CAfile: C:\home\personal\development\bin\curl-ca-bundle.crt
CApath: none
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
* subject: /C=US/ST=California/L=Mountain View/O=Paypal
Inc./OU=Information Systems/OU=Terms of use at
www.verisign.com/rpa (c)00/CN=www.paypal.com
* start date: 2006-02-09 00:00:00 GMT
* expire date: 2008-02-09 23:59:59 GMT
* common name: www.paypal.com (matched)
* issuer: /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign
International Server CA - Class 3/OU=
www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
* SSL certificate verify ok.
[more output deleted]
I'm sure that by using the cURL API directly, you can obtain the
certificate information in a more direct way without having to rely on
parsing the above output with regexps. Doing so might also be more
complex though :-)
Regards,
Jan
More information about the Python-list
mailing list