urllib getting SSL certificate info
Heikki Toivonen
hjtoi-better-remove-when_replying at comcast.net
Wed Aug 20 03:08:51 EDT 2008
Ghirai wrote:
> Would you mind sharing some code? The module is pretty ugly and on top has no
> docs whatsoever; got tired of reading the source...
Did you find out the right homepage at
http://chandlerproject.org/Projects/MeTooCrypto? The original author,
ngps, hasn't been involved in the project for years, yet for some reason
his page still comes up first when you search with Google.
The real M2Crypto homepage includes a short SSL howto. In there is a 5
line sample client script. But here is the equivalent of what JP wrote
in M2Crypto:
from M2Crypto import SSL
ctx = SSL.Context('sslv3')
# If you comment out these lines, the connection won't be secure
#ctx.set_verify(SSL.verify_peer | SSL.verify_fail_if_no_peer_cert, depth=9)
#if ctx.load_verify_locations('ca.pem') != 1: raise Exception('No CA certs')
c = SSL.Connection(ctx)
c.connect(('www.google.com', 443)) # automatically checks cert matches host
c.send('GET / HTTP/1.1\r\n\r\n')
cert = c.get_peer_cert()
print cert.get_issuer() # actually returns X509_Name object
print cert.get_subject() # actually returns X509_Name object
I should point out that M2Crypto really tries to make things safe by
default. For example with SSL, you will have to explicitly request weak
crypto to get SSLv2 and weak ciphers, and by default in client mode it
will check that the certificate hostname matches the hostname you tried
to connect to. You can override these if you want. The examples
typically show how to do things the safe way.
M2Crypto has over 200 unit tests, which I think offer a reasonable way
of checking how to use the API.
You can generate the M2Crypto API documentation yourself, but it is
pretty minimal. I'll see if I can find some cycles to flesh it out.
pyOpenSSL has the API documentation online, arguably in a nicer format
even, but there doesn't seem to be much more of it IMO. Both M2Crypto
and pyOpenSSL recommend you to go read the OpenSSL documentation since
most things are pretty thin wrappers around OpenSSL. But really, for
anyone doing any serious SSL development using OpenSSL or any OpenSSL
wrappers I recommend you go read "Network Security with OpenSSL" by John
Viega, Matt Messier and Pravir Chandra, ISBN 059600270X.
But just for your viewing pleasure, I just generated the M2Crypto API
documentation and put a link to it from the M2Crypto homepage:
http://chandlerproject.org/Projects/MeTooCrypto
--
Heikki Toivonen - http://www.heikkitoivonen.net
More information about the Python-list
mailing list