From erwan.loaec at cgin.fr Tue Feb 2 16:48:50 2010 From: erwan.loaec at cgin.fr (=?ISO-8859-1?Q?Erwan_Loa=EBc?=) Date: Tue, 02 Feb 2010 16:48:50 +0100 Subject: [pyOpenSSL] HTTPS with SmartCard (PKCS11) cert/key Message-ID: <4B684962.1020005@cgin.fr> Hello, I've spent many days in looking for a solution for my problem: User have smartcard with certificate and private key. They need to access SSL ressource using their personal certificate as client certificate for SSL. With "hard" certificate I have no problem using something like httplib.HTTPSConnection('monsitessl',443,'mykey.key','mycert.crt') How can I do it with python ? Is there a way a pyopenssl to do it ? Is anyone can tell me a way ? I'm using OpenSC for the PKCS11 lib. (which works pretty well with Firefox...) Regards, -- Erwan From mal at egenix.com Fri Feb 26 12:54:11 2010 From: mal at egenix.com (M.-A. Lemburg) Date: Fri, 26 Feb 2010 12:54:11 +0100 Subject: [pyOpenSSL] Problem with pyOpenSSL 0.10 and OpenSSL 0.9.8m Message-ID: <4B87B663.6010600@egenix.com> OpenSSL just released version 0.9.8m where they changed the SSL renegotiation scheme to now follow RFC 5746 instead of just disabling it completely: http://tools.ietf.org/html/rfc5746 pyOpenSSL compiles against the new version without problems, but one of the unit tests fails on Linux x64 (and perhaps other platforms as well): > python OpenSSL/test/test_ssl.py .......E.... ====================================================================== ERROR: test_set_default_verify_paths (__main__.ContextTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "OpenSSL/test/test_ssl.py", line 253, in test_set_default_verify_paths clientSSL.do_handshake() Error: [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')] ---------------------------------------------------------------------- Ran 12 tests in 0.660s FAILED (errors=1) The test connects to https://verisign.com/ I've tried a few other sites as well, but always get the same error. Any suggestions ? Thanks, -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Feb 26 2010) >>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ From mal at egenix.com Fri Feb 26 13:04:29 2010 From: mal at egenix.com (M.-A. Lemburg) Date: Fri, 26 Feb 2010 13:04:29 +0100 Subject: [pyOpenSSL] Problem with pyOpenSSL 0.10 and OpenSSL 0.9.8m In-Reply-To: <4B87B663.6010600@egenix.com> References: <4B87B663.6010600@egenix.com> Message-ID: <4B87B8CD.1060109@egenix.com> M.-A. Lemburg wrote: > OpenSSL just released version 0.9.8m where they changed the > SSL renegotiation scheme to now follow RFC 5746 instead of > just disabling it completely: > > http://tools.ietf.org/html/rfc5746 > > pyOpenSSL compiles against the new version without problems, > but one of the unit tests fails on Linux x64 (and perhaps > other platforms as well): > >> python OpenSSL/test/test_ssl.py > .......E.... > ====================================================================== > ERROR: test_set_default_verify_paths (__main__.ContextTests) > ---------------------------------------------------------------------- > Traceback (most recent call last): > File "OpenSSL/test/test_ssl.py", line 253, in test_set_default_verify_paths > clientSSL.do_handshake() > Error: [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')] > > ---------------------------------------------------------------------- > Ran 12 tests in 0.660s > > FAILED (errors=1) > > The test connects to https://verisign.com/ > I've tried a few other sites as well, but always get the same > error. I tried the same on Linux x86 with the same results. I then also checked pyOpenSSL 0.9.0 with OpenSSL 0.9.8l and again get the same results. Perhaps there's something wrong with my test setup ? I've done the tests on two different machines. Thanks, -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Feb 26 2010) >>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ From exarkun at twistedmatrix.com Fri Feb 26 17:26:25 2010 From: exarkun at twistedmatrix.com (exarkun at twistedmatrix.com) Date: Fri, 26 Feb 2010 16:26:25 -0000 Subject: [pyOpenSSL] Problem with pyOpenSSL 0.10 and OpenSSL 0.9.8m In-Reply-To: <4B87B8CD.1060109@egenix.com> References: <4B87B663.6010600@egenix.com> <4B87B8CD.1060109@egenix.com> Message-ID: <20100226162625.2792.410394570.divmod.xquotient.109@localhost.localdomain> On 12:04 pm, mal at egenix.com wrote: >M.-A. Lemburg wrote: >>OpenSSL just released version 0.9.8m where they changed the >>SSL renegotiation scheme to now follow RFC 5746 instead of >>just disabling it completely: >> >> http://tools.ietf.org/html/rfc5746 >> >>pyOpenSSL compiles against the new version without problems, >>but one of the unit tests fails on Linux x64 (and perhaps >>other platforms as well): >>>python OpenSSL/test/test_ssl.py >>.......E.... >>====================================================================== >>ERROR: test_set_default_verify_paths (__main__.ContextTests) >>---------------------------------------------------------------------- >>Traceback (most recent call last): >> File "OpenSSL/test/test_ssl.py", line 253, in >>test_set_default_verify_paths >> clientSSL.do_handshake() >>Error: [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate >>verify failed')] >> >>---------------------------------------------------------------------- >>Ran 12 tests in 0.660s >> >>FAILED (errors=1) >> >>The test connects to https://verisign.com/ >>I've tried a few other sites as well, but always get the same >>error. > >I tried the same on Linux x86 with the same results. > >I then also checked pyOpenSSL 0.9.0 with OpenSSL 0.9.8l >and again get the same results. > >Perhaps there's something wrong with my test setup ? I've >done the tests on two different machines. This test depends on OpenSSL having been built so that it has access to the platform-provided CA certificate database. It sounds like your builds weren't done this way. I've never actually built OpenSSL this way myself, and I have very little idea what is involved in doing so. I know that Ubuntu's OpenSSL builds have this enabled, but as far as I know none of the other widely used builds for other platforms do (I've looked at OS X and Windows and they don't, I'm not sure about other Linux distros). Unfortunately I don't have much more info than that about the feature, so I can't make any suggestions about how to check to see if this is really the problem, or how to change the build in order to fix it. Jean-Paul From exarkun at twistedmatrix.com Fri Feb 26 20:13:57 2010 From: exarkun at twistedmatrix.com (exarkun at twistedmatrix.com) Date: Fri, 26 Feb 2010 19:13:57 -0000 Subject: [pyOpenSSL] Problem with pyOpenSSL 0.10 and OpenSSL 0.9.8m In-Reply-To: <465C3353-3F96-4CF9-832D-280C75EC488B@twistedmatrix.com> References: <4B87B663.6010600@egenix.com> <4B87B8CD.1060109@egenix.com> <20100226162625.2792.410394570.divmod.xquotient.109@localhost.localdomain> <465C3353-3F96-4CF9-832D-280C75EC488B@twistedmatrix.com> Message-ID: <20100226191357.2792.2125479440.divmod.xquotient.133@localhost.localdomain> On 07:02 pm, glyph at twistedmatrix.com wrote: >On Feb 26, 2010, at 10:26 AM, exarkun at twistedmatrix.com wrote: >>This test depends on OpenSSL having been built so that it has access >>to >>the platform-provided CA certificate database. It sounds like your >>builds weren't done this way. >> >>I've never actually built OpenSSL this way myself, and I have very >>little idea what is involved in doing so. I know that Ubuntu's >>OpenSSL >>builds have this enabled, but as far as I know none of the other >>widely >>used builds for other platforms do (I've looked at OS X and Windows >>and >>they don't, I'm not sure about other Linux distros). > >OS X does; at least, the test passes on Snow Leopard. > >I updated with the >results of our experiment at the sprint. Oh right. Thanks for the correction. I got confused about versions of things. Jean-Paul