Newbie question regarding SSL and certificate verification

geremy condra debatem1 at gmail.com
Thu Jul 29 01:23:48 EDT 2010 

On Wed, Jul 28, 2010 at 10:08 PM, John Nagle <nagle at animats.com> wrote:
> On 7/28/2010 6:26 PM, geremy condra wrote:
>>
>> On Wed, Jul 28, 2010 at 4:41 PM, Jeffrey
>> Gaynor<jgaynor at ncsa.uiuc.edu>  wrote:
>>>
>>> Hi,
>>>
>>> I am making a first large project in python and am having quite a
>>> bit of difficulty unscrambling various python versions and what
>>> they can/cannot do. To wit, I must communicate with certain
>>> services via https and am required to perform  certificate
>>> verification on them.
>>>
>>> The problem is that I also have to do this under CentOS 5.5 which
>>> only uses python 2.4 as its default -- this is not negotiable. As
>>> near as I can tell from reading various posts, the https client
>>> does not do verification and there is no low-level SSL  support to
>>> provide a workaround. Near as I can tell from reading, 2.6 does
>>> include this. Am I getting this right? Is there a simple way to do
>>> this? More to the point, I need to know pretty darn quick if this
>>> is impossible so we can try and plan for it.
>>>
>>> So the quick question: Has anyone done certificate  verification
>>> using 2.4 and if so, how?
>>>
>>> Thanks!
>>
>> M2Crypto is the way to go here. I think there's an example on their
>> site.
>
>   M2Crypto does that job quite well.  Installing M2Crypto tends to be
> painful if you have to build it, though.  See if you can find a pre-
> built version.
>
>   You then need a "cacert.pem" file, with the root certificates you're
> going to trust.  You can get one from
>
>        http://curl.haxx.se/docs/caextract.html
>
> which converts Mozilla's format to a .pem file once a week.
> The actual Mozilla source file is at
>
> http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt
>
>   but M2Crypto needs it in .pem format.
>
>   The new Python SSL module in 2.6 and later has a huge built-in
> security hole - it doesn't verify the domain against the
> certificate.  As someone else put it, this means "you get to
> talk securely with your attacker." As long as the site or proxy
> has some valid SSL cert, any valid SSL cert copied from anywhere,
> the new Python SSL module will tell you everything is just fine.
>
>                                John Nagle

Did anything ever come of the discussion that you and Antoine had?

Geremy Condra

PS- the quote is due to Justin Samuel

More information about the Python-list mailing list