[pyOpenSSL] certificate verification
Ajay
abra9823 at mail.usyd.edu.au
Mon Oct 4 02:13:22 CEST 2004
Quoting Martin Sjögren <msjogren at gmail.com>:
> On Sat, 2 Oct 2004 14:54:57 +1000, Ajay <abra9823 at mail.usyd.edu.au>
> wrote:
> > hi!
> >
> > i added a callback for set_verify.
> > ctx.set_verify(VERIFY_NONE, verify)
> >
> > in verify, i put a print statement and it gets called twice - once for
> > CA.cert and once for server.cert. Shouldn't it get called only once,
> for
> > server.cert
>
> No, the callback gets called once for every cert in the cert chain,
> starting with the root and ending with the server's cert. One of the
> arguments is the depth, I don't recall off hand.
>
> > also how would you verify the server certificate? what would you add
> to
> > verify()
>
> Well, for starters I'd use SSL.VERIFY_PEER rather than VERIFY_NONE ;)
> You should probably read the man page for SSL_CTX_set_verify_callback,
> this is basic openssl stuff.
>
SSL_CTX_set_verify_callback says you can pass a NULL for the callback in
which case the OpenSSL built in verify is used to perform the verification
(which should be sufficient for most cases).
So how do i get it to use the built in 'verify'.
ctx.set_verify(VERIFY_PEER, None) is an error
all i really want to do is verify that the certificate presented by the
server is authentic, which should be handled by the built in function.
cheers
>
> /Martin
>
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
More information about the pyopenssl-users
mailing list