From naplanetu at gmail.com Fri Jan 2 22:52:45 2009 From: naplanetu at gmail.com (Taras P. Ivashchenko) Date: Sat, 3 Jan 2009 00:52:45 +0300 Subject: [pyOpenSSL] How to read information from X509v3 extensions of certificate using pyOpenSSL? Message-ID: <20090103005245.3d6894d7.naplanetu@gmail.com> Hello, list! I use pyopenssl for checking SSL certificates. And one of such checks is if given certificate is self-signed. I can do it using values of X509v3 extensions: the subject key identifier and the authority key id: X509v3 Subject Key Identifier: 0E:D4:AA:B1:09:91:7C:36:60:EA:56:4E:9C:57:00:AF:9C:4D:02:00 X509v3 Authority Key Identifier: keyid:0E:D4:AA:B1:09:91:7C:36:60:EA:56:4E:9C:57:00:AF:9C:4D:02:00 I read documentation of pyOpenSSL but I didn't find way how to grub this information from certificate using, for example, methods of X509 object. -- ????? ???????? (Taras Ivashchenko), OSCP www.securityaudit.ru ---- "Software is like sex: it's better when it's free." - Linus Torvalds -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From naplanetu at gmail.com Fri Jan 2 22:41:24 2009 From: naplanetu at gmail.com (Taras P. Ivashchenko) Date: Sat, 3 Jan 2009 00:41:24 +0300 Subject: [pyOpenSSL] test Message-ID: <20090103004124.4c63e712.naplanetu@gmail.com> -- ????? ???????? (Taras Ivashchenko), OSCP www.securityaudit.ru ---- "Software is like sex: it's better when it's free." - Linus Torvalds From mail.sensenmann at googlemail.com Sun Jan 18 00:45:43 2009 From: mail.sensenmann at googlemail.com (Christian Scharkus) Date: Sun, 18 Jan 2009 00:45:43 +0100 Subject: [pyOpenSSL] Problems with openssl-0.9.8j In-Reply-To: <717b5780901171400u35cfd8fcg7a0d0783c8382b1@mail.gmail.com> References: <717b5780901171400u35cfd8fcg7a0d0783c8382b1@mail.gmail.com> Message-ID: <717b5780901171545h47a1ac70u499c83c7fbdf7caa@mail.gmail.com> Hi folks :) I use Arch Linux i686 with pyopenssl-0.8 and openssl-0.9.8j and have got some problems with connecting to kekz.net:23002. http://codepad.org/2aad1eAI $ python Python 2.6.1 (r261:67515, Dec 7 2008, 08:27:41) [GCC 4.3.2] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import socket >>> from OpenSSL.SSL import SSLv3_METHOD, Connection, Context >>> s = socket.socket() >>> conn = Connection(Context(SSLv3_METHOD), s) >>> conn.connect(('kekz.net',23002)) >>> conn.do_handshake() Traceback (most recent call last): File "", line 1, in OpenSSL.SSL.Error: [('SSL routines', 'SSL3_GET_RECORD', 'wrong version number')] It works fine with openssl-0.9.8i or when I use SSLv23_METHOD as Context but this seems not to work with my twisted-based app. Thanks Christian Scharkus -------------- next part -------------- An HTML attachment was scrubbed... URL: From exarkun at divmod.com Sun Jan 18 04:01:41 2009 From: exarkun at divmod.com (Jean-Paul Calderone) Date: Sat, 17 Jan 2009 22:01:41 -0500 Subject: [pyOpenSSL] Problems with openssl-0.9.8j In-Reply-To: <717b5780901171545h47a1ac70u499c83c7fbdf7caa@mail.gmail.com> Message-ID: <20090118030141.9754.940535086.divmod.quotient.4431@henry.divmod.com> On Sun, 18 Jan 2009 00:45:43 +0100, Christian Scharkus wrote: >Hi folks :) > >I use Arch Linux i686 with pyopenssl-0.8 and openssl-0.9.8j and have got >some problems with connecting to kekz.net:23002. > >http://codepad.org/2aad1eAI > >$ python >Python 2.6.1 (r261:67515, Dec 7 2008, 08:27:41) >[GCC 4.3.2] on linux2 >Type "help", "copyright", "credits" or "license" for more information. >>>> import socket >>>> from OpenSSL.SSL import SSLv3_METHOD, Connection, Context >>>> s = socket.socket() >>>> conn = Connection(Context(SSLv3_METHOD), s) >>>> conn.connect(('kekz.net',23002)) >>>> conn.do_handshake() >Traceback (most recent call last): > > File "", line 1, in >OpenSSL.SSL.Error: [('SSL routines', 'SSL3_GET_RECORD', 'wrong version number')] This seems to be due to the change in OpenSSL 0.9.8j to sending a TLS extension section by default. A correct SSL server will ignore this section, but it seems there are a few SSL libraries which freak out when they encounter this. The next version of pyOpenSSL will include a way to work around this by exposing a constant to explicitly disable sending this TLS extension section. This is done with a Context option, so if your example code above were changed to set up the connection like this: from OpenSSL.SSL import OP_NO_TICKET ctx = Context(SSLv3_METHOD) ctx.set_options(OP_NO_TICKET) conn = Connection(ctx, s) Then it would work (I've tested this against trunk at HEAD of pyOpenSSL and OpenSSL 0.9.8j and it fixed the connection problem for me). You can probably also just use the value of OP_NO_TICKET with older versions of pyOpenSSL. It will have the same effect on OpenSSL 0.9.8j and no effect at all on older versions. Jean-Paul From mail.sensenmann at googlemail.com Sun Jan 18 14:19:31 2009 From: mail.sensenmann at googlemail.com (Christian Scharkus) Date: Sun, 18 Jan 2009 14:19:31 +0100 Subject: [pyOpenSSL] Problems with openssl-0.9.8j Message-ID: <717b5780901180519h17a37c6dofeffe3512b19702e@mail.gmail.com> Thanks for your help but what is the integer value of OP_NO_TICKET? Currently I've got pyopenssl 0.8 only and have no idea where to get the dev-source and I don't think the user of the app should have to install it either. greetings Christian Scharkus >>Hi folks :) >> >>I use Arch Linux i686 with pyopenssl-0.8 and openssl-0.9.8j and have got >>some problems with connecting to kekz.net:23002. >> >>http://codepad.org/2aad1eAI >> >>$ python >>Python 2.6.1 (r261:67515, Dec 7 2008, 08:27:41) >>[GCC 4.3.2] on linux2 >>Type "help", "copyright", "credits" or "license" for more information. >>>>> import socket >>>>> from OpenSSL.SSL import SSLv3_METHOD, Connection, Context >>>>> s = socket.socket() >>>>> conn = Connection(Context(SSLv3_METHOD), s) >>>>> conn.connect(('kekz.net',23002)) >>>>> conn.do_handshake() >>Traceback (most recent call last): >> >> File "", line 1, in >>OpenSSL.SSL.Error: [('SSL routines', 'SSL3_GET_RECORD', 'wrong version number')] > > This seems to be due to the change in OpenSSL 0.9.8j to sending a TLS > extension section by default. A correct SSL server will ignore this > section, but it seems there are a few SSL libraries which freak out > when they encounter this. > > The next version of pyOpenSSL will include a way to work around this > by exposing a constant to explicitly disable sending this TLS extension > section. > > This is done with a Context option, so if your example code above were > changed to set up the connection like this: > > from OpenSSL.SSL import OP_NO_TICKET > ctx = Context(SSLv3_METHOD) > ctx.set_options(OP_NO_TICKET) > conn = Connection(ctx, s) > > Then it would work (I've tested this against trunk at HEAD of pyOpenSSL and > OpenSSL 0.9.8j and it fixed the connection problem for me). > > You can probably also just use the value of OP_NO_TICKET with older versions > of pyOpenSSL. It will have the same effect on OpenSSL 0.9.8j and no effect > at all on older versions. > > Jean-Paul From exarkun at divmod.com Sun Jan 18 18:05:55 2009 From: exarkun at divmod.com (Jean-Paul Calderone) Date: Sun, 18 Jan 2009 12:05:55 -0500 Subject: [pyOpenSSL] Problems with openssl-0.9.8j In-Reply-To: <717b5780901180519h17a37c6dofeffe3512b19702e@mail.gmail.com> Message-ID: <20090118170555.9754.291604270.divmod.quotient.4702@henry.divmod.com> On Sun, 18 Jan 2009 14:19:31 +0100, Christian Scharkus wrote: >Thanks for your help but what is the integer value of OP_NO_TICKET? >Currently I've got pyopenssl 0.8 only and have no idea where to get >the dev-source and I don't think the user of the app should have to >install it either. exarkun at boson:~/Scratch/Sources/openssl-0.9.8j$ grep OP_NO_TICKET ./ -r | grep '#define' ./include/openssl/ssl.h:#define SSL_OP_NO_TICKET 0x00004000L Jean-Paul From info at egenix.com Fri Jan 30 13:30:42 2009 From: info at egenix.com (eGenix Team: M.-A. Lemburg) Date: Fri, 30 Jan 2009 13:30:42 +0100 Subject: [pyOpenSSL] ANN: eGenix pyOpenSSL Distribution 0.8.0-0.9.8j-1 Message-ID: <4982F2F2.2040909@egenix.com> ________________________________________________________________________ ANNOUNCING eGenix.com pyOpenSSL Distribution Version 0.8.0-0.9.8j-1 An easy to install and use repackaged distribution of the pyOpenSSL Python interface for OpenSSL - available on Windows and Unix platforms This announcement is also available on our web-site for online reading: http://www.egenix.com/company/news/eGenix-pyOpenSSL-Distribution-0.8.0-0.9.8j-1-GA.html ________________________________________________________________________ INTRODUCTION The eGenix.com pyOpenSSL Distribution includes everything you need to get started with SSL in Python. It comes with an easy to use installer that includes the most recent OpenSSL library versions in pre-compiled form. pyOpenSSL is an open-source Python add-on (http://pyopenssl.sf.net/) that allows writing SSL aware networking applications as well as certificate management tools. OpenSSL is an open-source implementation of the SSL protocol (http://www.openssl.org/). For more information, please see the product page: http://www.egenix.com/products/python/pyOpenSSL/ ________________________________________________________________________ NEWS This fourth release of the eGenix.com pyOpenSSL Distribution upgrades the included OpenSSL libs to version 0.9.8j, which fixes a vulnerability found in earlier OpenSSL releases of the 0.9.8 branch: CVE-2008-5077 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077). We have also enabled zlib compression support in OpenSSL for both the Linux and Windows builds, so OpenSSL client/servers can now negotiate on-the-fly zlib compression for SSL connections. Binaries are available for Linux x86 and x64 as well as Windows x86 and include pyOpenSSL 0.8.0 as well as pre-compiled and tested OpenSSL 0.9.8j libraries. ________________________________________________________________________ DOWNLOADS The download archives and instructions for installing the package can be found at: http://www.egenix.com/products/python/pyOpenSSL/ ________________________________________________________________________ UPGRADING Before installing this version of pyOpenSSL, please make sure that you uninstall any previously installed pyOpenSSL version. Otherwise, you could end up not using the included OpenSSL libs. _______________________________________________________________________ SUPPORT Commercial support for these packages is available from eGenix.com. Please see http://www.egenix.com/services/support/ for details about our support offerings. Enjoy, -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Jan 30 2009) >>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/