[pyOpenSSL] 'internal error' on 0.5.1

Yannick Gingras yannick.gingras at savoirfairelinux.com
Wed Jul 30 16:02:16 CEST 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On July 30, 2003 08:04 am, you wrote:
> I'm not sure I follow what you're trying to do. It looks to me like
> you're connecting a regular socket to an address, and then create a new
> socket, using SSL, and connect it to the same address. But then you
> return the old connection. What's the point, really? Note that you can
> pass an already connected socket as argument to SSL.Connection. That's
> when you should use .set_connect_state() (if you're using .connect(),
> .set_connect_state() is redundant since it already is in connecting
> state).

I try to fetch the peer certificate.  The python SSL object does not
seems to have support for this.  SafeTransport.make_connection()
returns a httplib.HTTPS object that is not connect()ed yet.  The way
it'd like to do it is to use pyOpenSSL to initiate the connection and
to validate the certificate and then to replace the socket in the
HTTPS object and to let xmlrpclib do the rest.


> You shouldn't need to renegotiate()/do_handshake() since the handshake
> will be initiated automatically as soon as you try to read or write
> from/to the socket. Certificate validation is normally done in a
> callback fashion...

If I don't try to renegotiate()/do_handshake(), it works perfectly but
get_peer_certificate() alway returns None : \


> I wish I could tell you what "internal error" means, but I can't, at
> least not without digging through the OpenSSL source code, and I don't
> really have the time for that right now.

I think that I'm doing it the right way anyway.  There must be some
easier way to get the peer certificate than through renegotiation.


> > I'm not a SSL guru so I wonder what I may have done wrong.  Is this
> > the right way to make a SLL connection with pyOpenSSL ?  I use Python
> > 2.2.2 on Red Hat 9.  OpenSSL is a custom build of 0.9.7b (I tried
> > M2Crypto).
>
> What do you mean, you tried M2Crypto? Do you mean "I tried M2Crypto but
> it sucked so I went for pyOpenSSL instead"? ;)

Obviously if M2Crypto was what I was looking for I would have stayed
with it.

 ; ) 

The main problem was that M2Crypto needs major tweaks to compile and
that I expect many users to give up early in the process.

Thanks for your time !


- -- 
Yannick Gingras
Byte Gardener, Savoir-faire Linux inc.
(514) 276-5468

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE/J8/orhy5Fqn/MRARArjLAJ0ZoSIGsfCNgbvUSCRc55wzYuHEkQCeJrUp
BGHvSOvgNRiKHs41pDyf3HE=
=hKtC
-----END PGP SIGNATURE-----

More information about the pyopenssl-users mailing list