Newbie question regarding SSL and certificate verification

John Nagle nagle at animats.com
Thu Jul 29 01:08:57 EDT 2010 

On 7/28/2010 6:26 PM, geremy condra wrote:
> On Wed, Jul 28, 2010 at 4:41 PM, Jeffrey
> Gaynor<jgaynor at ncsa.uiuc.edu>  wrote:
>> Hi,
>>
>> I am making a first large project in python and am having quite a
>> bit of difficulty unscrambling various python versions and what
>> they can/cannot do. To wit, I must communicate with certain
>> services via https and am required to perform  certificate
>> verification on them.
>>
>> The problem is that I also have to do this under CentOS 5.5 which
>> only uses python 2.4 as its default -- this is not negotiable. As
>> near as I can tell from reading various posts, the https client
>> does not do verification and there is no low-level SSL  support to
>> provide a workaround. Near as I can tell from reading, 2.6 does
>> include this. Am I getting this right? Is there a simple way to do
>> this? More to the point, I need to know pretty darn quick if this
>> is impossible so we can try and plan for it.
>>
>> So the quick question: Has anyone done certificate  verification
>> using 2.4 and if so, how?
>>
>> Thanks!
>
> M2Crypto is the way to go here. I think there's an example on their
> site.

    M2Crypto does that job quite well.  Installing M2Crypto tends to be
painful if you have to build it, though.  See if you can find a pre-
built version.

    You then need a "cacert.pem" file, with the root certificates you're
going to trust.  You can get one from

	http://curl.haxx.se/docs/caextract.html

which converts Mozilla's format to a .pem file once a week.
The actual Mozilla source file is at

http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt

    but M2Crypto needs it in .pem format.

    The new Python SSL module in 2.6 and later has a huge built-in
security hole - it doesn't verify the domain against the
certificate.  As someone else put it, this means "you get to
talk securely with your attacker." As long as the site or proxy
has some valid SSL cert, any valid SSL cert copied from anywhere,
the new Python SSL module will tell you everything is just fine.

				John Nagle

More information about the Python-list mailing list