From abra9823 at mail.usyd.edu.au Sat Oct 2 06:54:57 2004 From: abra9823 at mail.usyd.edu.au (Ajay) Date: Sat, 2 Oct 2004 14:54:57 +1000 Subject: [pyOpenSSL] certificate verification Message-ID: <1096692897.415e34a119a2e@www-mail.usyd.edu.au> hi! i added a callback for set_verify. ctx.set_verify(VERIFY_NONE, verify) in verify, i put a print statement and it gets called twice - once for CA.cert and once for server.cert. Shouldn't it get called only once, for server.cert also how would you verify the server certificate? what would you add to verify() thanks cheers ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From msjogren at gmail.com Sat Oct 2 09:35:09 2004 From: msjogren at gmail.com (=?ISO-8859-1?Q?Martin_Sj=F6gren?=) Date: Sat, 2 Oct 2004 09:35:09 +0200 Subject: [pyOpenSSL] certificate verification In-Reply-To: <1096692897.415e34a119a2e@www-mail.usyd.edu.au> References: <1096692897.415e34a119a2e@www-mail.usyd.edu.au> Message-ID: <1e1bb1f004100200355f9ea637@mail.gmail.com> On Sat, 2 Oct 2004 14:54:57 +1000, Ajay wrote: > hi! > > i added a callback for set_verify. > ctx.set_verify(VERIFY_NONE, verify) > > in verify, i put a print statement and it gets called twice - once for > CA.cert and once for server.cert. Shouldn't it get called only once, for > server.cert No, the callback gets called once for every cert in the cert chain, starting with the root and ending with the server's cert. One of the arguments is the depth, I don't recall off hand. > also how would you verify the server certificate? what would you add to > verify() Well, for starters I'd use SSL.VERIFY_PEER rather than VERIFY_NONE ;) You should probably read the man page for SSL_CTX_set_verify_callback, this is basic openssl stuff. /Martin From abra9823 at mail.usyd.edu.au Mon Oct 4 02:13:22 2004 From: abra9823 at mail.usyd.edu.au (Ajay) Date: Mon, 4 Oct 2004 10:13:22 +1000 Subject: [pyOpenSSL] certificate verification In-Reply-To: <1e1bb1f004100200355f9ea637@mail.gmail.com> References: <1096692897.415e34a119a2e@www-mail.usyd.edu.au> <1e1bb1f004100200355f9ea637@mail.gmail.com> Message-ID: <1096848802.416095a24f3ab@www-mail.usyd.edu.au> Quoting Martin Sj?gren : > On Sat, 2 Oct 2004 14:54:57 +1000, Ajay > wrote: > > hi! > > > > i added a callback for set_verify. > > ctx.set_verify(VERIFY_NONE, verify) > > > > in verify, i put a print statement and it gets called twice - once for > > CA.cert and once for server.cert. Shouldn't it get called only once, > for > > server.cert > > No, the callback gets called once for every cert in the cert chain, > starting with the root and ending with the server's cert. One of the > arguments is the depth, I don't recall off hand. > > > also how would you verify the server certificate? what would you add > to > > verify() > > Well, for starters I'd use SSL.VERIFY_PEER rather than VERIFY_NONE ;) > You should probably read the man page for SSL_CTX_set_verify_callback, > this is basic openssl stuff. > SSL_CTX_set_verify_callback says you can pass a NULL for the callback in which case the OpenSSL built in verify is used to perform the verification (which should be sufficient for most cases). So how do i get it to use the built in 'verify'. ctx.set_verify(VERIFY_PEER, None) is an error all i really want to do is verify that the certificate presented by the server is authentic, which should be handled by the built in function. cheers > > /Martin > ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From abra9823 at mail.usyd.edu.au Mon Oct 4 03:28:16 2004 From: abra9823 at mail.usyd.edu.au (Ajay) Date: Mon, 4 Oct 2004 11:28:16 +1000 Subject: [pyOpenSSL] OpenSSL.SSL.ZeroReturnError Message-ID: <1096853296.4160a730ceb81@www-mail.usyd.edu.au> hi! i have a client and server that communicate over an SSL connection. the client connects to the server and sends some data and then closes. For some reason, on the server side, every time i try to read data, i ger a ZeroReturnError. my client code is s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) conn = SSL.Connection(ctx, s) conn.connect((host, port)) conn.send(result) conn.shutdown() conn.close() the server is addr = (SERVICE_HOST, SERVICE_PORT) globals()['serverconn'] = Connection(context, socket.socket(socket.AF_INET, socket.SOCK_STREAM)) globals()['serverconn'].bind(addr) print "server started" globals()['serverconn'].listen(5) while 1: (cli, address) = globals()['serverconn'].accept() print 'Connection from %s' % (addr,) #try: str = cli.recv(1024) data="" while len(str) != 0: data += str str = cli.recv(1024) print "received " #, data the error comes at "str = cli.recv(1024)" i get to the 'the connection from...' print statement, and then the error comes up. What am i doing wrong? And how can i get rid of the error? the same code worked fine before i added the SSL part, so i doubt there is anything fundamentally wrong with the code. thanks cheers ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From leigh at eclinic.com.au Tue Oct 19 05:06:11 2004 From: leigh at eclinic.com.au (Leigh Dyer) Date: Tue, 19 Oct 2004 13:06:11 +1000 Subject: [pyOpenSSL] PATCH: Handle long serial numbers in X509 get_serial_number Message-ID: <417484A3.3090205@eclinic.com.au> Hi all, I've recently been looking at pyOpenSSL but I noticed that it didn't properly handle the serial numbers in the Verisign certificates that I'm using. The serial numbers are long - too big to fit in a 32-bit int, so OpenSSL returns -1 instead, which is passed through by pyOpenSSL. This small patch handles these long serial numbers by converting them to strings, which are then converted to PyLong objects using the Python/C API. Thanks Leigh -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: x509.c.diff URL: