From comp.ogz at gmail.com  Sat Jul  2 15:49:26 2005
From: comp.ogz at gmail.com (Ogz)
Date: Sat, 2 Jul 2005 16:49:26 +0300
Subject: [pyOpenSSL] clien and server side jobs
Message-ID: <20831c74050702064929f6e06f@mail.gmail.com>

Below is a sample code part:

ctx = SSL.Context(SSL.SSLv23_METHOD)
ctx.load_verify_locations(cafile)
ctx.set_verify(SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT, verify)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

ssl = SSL.Connection(ctx, s)

ssl.connect((host, 443))

ssl.sendall("GET / HTTP/1.0\r\n\r\n")

at this point, the verify call back works. and if it turned 0 somehow
the execution stops. I want to understand the work logic of

SSL.VERIFY_FAIL_IF_NO_PEER_CERT, verify)

And will be happy if someone send me a sample code for both client and
server side, client side will have a public key and server side will
have both public and private and will be able to check whether this
user is allowed

Just two sample that shows the main logic.
I think it will be helpfull many other beginners like me.



From comp.ogz at gmail.com  Sat Jul  2 22:13:03 2005
From: comp.ogz at gmail.com (Ogz)
Date: Sat, 2 Jul 2005 23:13:03 +0300
Subject: [pyOpenSSL] need help on code
Message-ID: <20831c74050702131362abd042@mail.gmail.com>

Below is a sample code. 

As i understood this is the client side part of the code.
What else do i need to write its server part and should i use
use_certificate_file or privatekey_file? If so how? Please show me
with a samplke little code.

#!/usr/bin/env python
# OpenSSL example with verification - Chapter 15 - osslverify.py
#
# Command-line arguments -- root CA file, remote host

import socket, sys
from OpenSSL import SSL

# Grab the command-line parameters
#cafile, host = sys.argv[1:]
#
cafile = 'certfiles.crt'
host = 'www.openssl.org'

def printx509(x509):
    """Display an X.509 certificate"""
    fields = {'country_name': 'Country',
        'SP': 'State/Province',
        'L': 'Locality',
        'O': 'Organization',
        'OU': 'Organizational Unit',
        'CN': 'Common Name',
        'email': 'E-Mail'}

    for field, desc in fields.items():
        try:
            print "%30s: %s" % (desc, getattr(x509, field))
        except:
            pass

# Whether or not the certificate name has been verified
cnverified = 0

def verify(connection, certificate, errnum, depth,  ok):
    """Verify a given certificate"""
    global cnverified

    print connection, certificate, errnum, depth, ok	

    subject = certificate.get_subject()
    issuer = certificate.get_issuer()

    print "Certificate from:"
    printx509(subject)


    print "\nIssued By:"
    printx509(issuer)

    if not ok:
        # OpenSSL could not verify the digital signature.
        print "Could not verify certificate."
        return 0

    # Digital signature verified.  Now make sure it's for the server
    # we connected to.
    if subject.CN == None or subject.CN.lower() != host.lower():
        print "Connected to %s, but got cert for %s" % \
                (host, subject.CN)
    else:
        cnverified = 1

    if depth == 0 and not cnverified:
        print "Could not verify server name; failing."
        return 0

    print "-" * 70
    return 1 
    
ctx = SSL.Context(SSL.SSLv23_METHOD)
ctx.load_verify_locations(cafile)

# Set up the verification.  Notice we pass the verify function to
# ctx.set_verify()
ctx.set_verify(SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT, verify)

print "Creating socket...",
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "done."

ssl = SSL.Connection(ctx, s)

print "Establishing SSL...",
ssl.connect((host, 443))
print "done."

print "Requesting document..."
ssl.sendall("GET / HTTP/1.0\r\n\r\n")
print "done."

while 1:
    try:
        buf = ssl.recv(4096)
    except SSL.ZeroReturnError:
        break
    sys.stdout.write(buf)

ssl.close()



From dcbw at redhat.com  Tue Jul 12 16:57:04 2005
From: dcbw at redhat.com (Dan Williams)
Date: Tue, 12 Jul 2005 10:57:04 -0400
Subject: [pyOpenSSL] pyOpenSSL threading issues under Linux
Message-ID: <1121180224.29801.25.camel@dcbw.boston.redhat.com>

Hi,

I'm using pyOpenSSL for the Fedora Extras build system after discovering
that m2crypto was (1) less stable and (2) more complicated.  The stuff
I've been developing is available here, and implements XMLRPC server +
client and HTTP server + client with two-way client server certificate
verification.

http://cvs.fedora.redhat.com/viewcvs/extras-buildsys/?root=fedora

Interesting stuff is probably in the 'common' directory, including
AuthedXMLRPCServer.py, XMLRPCServerProxy.py, HTTPServer.py, and
HTTPSURLOpener.py.  It's inspired by, in part, pyOpenSSL examples,
m2crypto's workarounds, RHN/up2date usage of pyOpenSSL, and some other
random stuff.  It does mostly work, feel free to look it over for bugs
or as examples.

So on the problem...  Both the XMLRPC server/client and the HTTPS
server/client have tests built in that make heavy use of threads.  The
pyOpenSSL package in Fedora Core is _not_ built with OpenSSL thread
safety, the patch is attached to this email.

However, even with that patch, python falls over fairly quickly on
multi-cpu boxes with segfaults, while single-cpu boxes work 90% of the
time and segfault after a while.  Turning off SSL in the testcases
results in success.  Debug builds of python fail fairly quickly using
SSL under test cases with this message:

Fatal Python error: UNREF invalid object
Abort

So I've thought of a number of things here:

1) The pyOpenSSL locking patch I've applied isn't working correctly, or
I've forgotten some bits
2) Maybe we need to grab python locks in the pyOpenSSL locking patch in
addition to the local pthreads lock
3) Perhaps pyOpenSSL needs to lock calls into OpenSSL with python locks
too
4) Incorrect reference counting in pyOpenSSL?
5) Incorrect reference counting in python itself?

I'd be very grateful if anyone has tips on how to debug this sort of
thing, or has insights/ideas about threading, python, OpenSSL, and
pyOpenSSL.  I'd be happy to provide more condensed testcases than just
the CVSweb link above, if that would help.

Thanks!
Dan


-------------- next part --------------
A non-text attachment was scrubbed...
Name: pyOpenSSL-threadsafe.patch
Type: text/x-patch
Size: 2121 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/pyopenssl-users/attachments/20050712/b4a2d187/attachment.bin>

From dcbw at redhat.com  Tue Jul 12 20:28:13 2005
From: dcbw at redhat.com (Dan Williams)
Date: Tue, 12 Jul 2005 14:28:13 -0400
Subject: [pyOpenSSL] pyOpenSSL threading issues under Linux
In-Reply-To: <1121180224.29801.25.camel@dcbw.boston.redhat.com>
References: <1121180224.29801.25.camel@dcbw.boston.redhat.com>
Message-ID: <1121192893.29801.41.camel@dcbw.boston.redhat.com>

On Tue, 2005-07-12 at 10:57 -0400, Dan Williams wrote:
> Hi,
> However, even with that patch, python falls over fairly quickly on
> multi-cpu boxes with segfaults, while single-cpu boxes work 90% of the
> time and segfault after a while.  Turning off SSL in the testcases
> results in success.  Debug builds of python fail fairly quickly using
> SSL under test cases with this message:
> 
> Fatal Python error: UNREF invalid object
> Abort
> 
> So I've thought of a number of things here:
> 
> 1) The pyOpenSSL locking patch I've applied isn't working correctly, or
> I've forgotten some bits
> 2) Maybe we need to grab python locks in the pyOpenSSL locking patch in
> addition to the local pthreads lock
> 3) Perhaps pyOpenSSL needs to lock calls into OpenSSL with python locks
> too
> 4) Incorrect reference counting in pyOpenSSL?
> 5) Incorrect reference counting in python itself?
> 
> I'd be very grateful if anyone has tips on how to debug this sort of
> thing, or has insights/ideas about threading, python, OpenSSL, and
> pyOpenSSL.  I'd be happy to provide more condensed testcases than just
> the CVSweb link above, if that would help.

In partial reply to myself, this patch seems to help somewhat, along
with the threading one earlier...  I'm not sure why though.


--- pyOpenSSL-0.6/src/ssl/context.c.threadsafe	2004-08-06 06:24:38.000000000 -0400
+++ pyOpenSSL-0.6/src/ssl/context.c	2005-07-12 13:34:41.000000000 -0400
@@ -117,12 +117,15 @@
     crypto_X509Obj *cert;
     int errnum, errdepth, c_ret;
 
-    cert = crypto_X509_New(X509_STORE_CTX_get_current_cert(x509_ctx), 0);
     errnum = X509_STORE_CTX_get_error(x509_ctx);
     errdepth = X509_STORE_CTX_get_error_depth(x509_ctx);
     ssl = (SSL *)X509_STORE_CTX_get_app_data(x509_ctx);
     conn = (ssl_ConnectionObj *)SSL_get_app_data(ssl);
 
+    MY_END_ALLOW_THREADS(conn->tstate);
+    cert = crypto_X509_New(X509_STORE_CTX_get_current_cert(x509_ctx), 0);
+    MY_BEGIN_ALLOW_THREADS(conn->tstate);
+
     argv = Py_BuildValue("(OOiii)", (PyObject *)conn, (PyObject *)cert,
                                     errnum, errdepth, ok);
     Py_DECREF(cert);





From nick at buraglio.com  Wed Jul 20 18:05:21 2005
From: nick at buraglio.com (Nick Buraglio)
Date: Wed, 20 Jul 2005 11:05:21 -0500
Subject: [pyOpenSSL] importing cert chain
Message-ID: <DE7832D2-2750-44F7-ADCE-1163E5C168F0@buraglio.com>

After doing a little digging I am still unable to figure out how to  
import a cert chain.  Is this function possible in pyopenssl?
I have a python based web application (using twisted.web and quixote)  
that uses pyopenssl and would like to use my cert and not have it  
present the warning (it is a comodo signed certificate).
Any pointers appreciated.

nb


-------------------------------------
Nick Buraglio
nick at buraglio.com
GnuPG Key: 0x2E5B44F4





From adria at ecm.ub.es  Thu Jul 21 10:58:59 2005
From: adria at ecm.ub.es (=?ISO-8859-1?Q?Adri=E0_Casaj=FAs?=)
Date: Thu, 21 Jul 2005 10:58:59 +0200
Subject: [pyOpenSSL] importing cert chain
In-Reply-To: <DE7832D2-2750-44F7-ADCE-1163E5C168F0@buraglio.com>
References: <DE7832D2-2750-44F7-ADCE-1163E5C168F0@buraglio.com>
Message-ID: <42DF63D3.5070603@ecm.ub.es>

HI Nick,

    I'm using GSI proxies and normal certificates and I'm importing them 
using <Context object>.use_certificate_chain_file( file ). Does that 
fail when using comodo signed certificates?.

Adri.

> After doing a little digging I am still unable to figure out how to  
> import a cert chain.  Is this function possible in pyopenssl?
> I have a python based web application (using twisted.web and quixote)  
> that uses pyopenssl and would like to use my cert and not have it  
> present the warning (it is a comodo signed certificate).
> Any pointers appreciated.
>
> nb
>
>
> -------------------------------------
> Nick Buraglio
> nick at buraglio.com
> GnuPG Key: 0x2E5B44F4
>
>
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> pyopenssl-list mailing list
> pyopenssl-list at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/pyopenssl-list
>




From t4_seven at gmx.de  Thu Jul 28 20:28:42 2005
From: t4_seven at gmx.de (t47)
Date: Thu, 28 Jul 2005 20:28:42 +0200
Subject: [pyOpenSSL] max transmission size
Message-ID: <1122575322.7306.5.camel@localhost.localdomain>

hi list, 

im experimenting with pyopenssl and really like it so far :D
i only have one problem, the maximum transmission size seems to be
limited to 16384. no matter what higher value i pass to socket.recv(),
whenever i send more than 16kb the server-side receive fails.

is there any hidden switch i am missing or what can i do about this ?
thanks in advance, 

t47.

python 2.3.5-4
pyopenssl 0.6-2
debian sarge