Certificate validation with HTTPSConnection

Velko Ivanov vivanov at ivanov-nest.com
Wed Sep 29 05:53:02 EDT 2010 


Hello, 

I've always wandered why HTTPSConnection does not validate
certificates? 

It is fairly simple to use the SSL socket's validation:


> class HTTPSConnection(HTTPConnection):
> """This class allows
communication via SSL.
> It is a copy of the http.client.HTTPSConnection
with added certificate validation
> """
> 
> default_port = HTTPS_PORT
>

> def __init__(self, host, port=None, key_file=None, cert_file=None,
ca_file=None,
> cert_reqs=ssl.CERT_NONE, strict=None,
timeout=socket._GLOBAL_DEFAULT_TIMEOUT):
> HTTPConnection.__init__(self,
host, port, strict, timeout)
> self.key_file = key_file
> self.cert_file
= cert_file
> self.cert_reqs = cert_reqs
> self.ca_file = ca_file
> 
>
def connect(self):
> "Connect to a host on a given (SSL) port."
> 
>
sock = socket.create_connection((self.host, self.port), self.timeout)
>

> if self._tunnel_host:
> self.sock = sock
> self._tunnel()
> 
>
self.sock = ssl.wrap_socket(sock, keyfile=self.key_file,
certfile=self.cert_file, cert_reqs=self.cert_reqs,
ca_certs=self.ca_file) 

> conn = HTTPSConnection(host,
cert_file=certfile, cert_reqs=ssl.CERT_REQUIRED, ca_file=cafile) 

IMO
it doesn't matter how well is the validation covered in the ssl lib, or
the filenames vs. files issues of ssl.wrap_socket() - HTTPSConnection
should only provide the means to use what is available in SSL and
include a link in docs to explanations of how SSL does what it does, so
that people can make their decisions. 

The above code works quite well
for me in production, where client nodes connect to apache and nginx
servers by HTTPS with certificate based authentication. I'm using self
signed CA though and I don't need revocation lists, so I know nothing of
whether that part of validation is/could be working. 

Just sharing a
simple solution to a simple problem on which I spent more that few hours
in reading, hope this helps the next lost soul 

Best Regards 

Velko
Ivanov
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-list/attachments/20100929/4dfe6d06/attachment.html>

More information about the Python-list mailing list