From eric.chazan at sungardas.com Mon Sep 8 18:04:00 2014 From: eric.chazan at sungardas.com (Eric Chazan) Date: Mon, 8 Sep 2014 12:04:00 -0400 Subject: [pyOpenSSL-Users] Can we have a PyOpenSSL 0.15? Message-ID: All, My team is considering a port to Python 3 from Python 2.7. One issue we see is that we cant run a flask server with ssl. I am seeing that the fix is in this pull request: https://github.com/pyca/pyopenssl/pull/78/commits Which has already been merged. Is a new version of PyOpenSSL coming that contains this pull request? Thanks, Eric Chazan -------------- next part -------------- An HTML attachment was scrubbed... URL: From exarkun at twistedmatrix.com Mon Sep 8 21:59:49 2014 From: exarkun at twistedmatrix.com (exarkun at twistedmatrix.com) Date: Mon, 08 Sep 2014 19:59:49 -0000 Subject: [pyOpenSSL-Users] Can we have a PyOpenSSL 0.15? In-Reply-To: References: Message-ID: <20140908195949.20413.817742540.divmod.xquotient.2273@top> On 04:04 pm, eric.chazan at sungardas.com wrote: >All, > > >My team is considering a port to Python 3 from Python 2.7. One issue >we >see is that we cant run a flask server with ssl. I am seeing that the >fix >is in this pull request: > > >https://github.com/pyca/pyopenssl/pull/78/commits > > > >Which has already been merged. Is a new version of PyOpenSSL coming >that >contains this pull request? It seems to me that there is a blocking issue for 0.15: https://github.com/pyca/pyopenssl/issues?milestone=2&q=is%3Aopen However, no one else seems to care so maybe I should give up the idea that anyone actually cares about backwards compatibility and we can just move on with all the other changes people are interested in. Jean-Paul From toby at graphlab.com Fri Sep 19 20:49:44 2014 From: toby at graphlab.com (Toby Roseman) Date: Fri, 19 Sep 2014 11:49:44 -0700 Subject: [pyOpenSSL-Users] Seems like no way to reproduce format from the command line Message-ID: Hi all - I am trying to generate a Private Key and a corresponding self-signed Public Key Certificate. These will be used to enable HTTPS on a AWS EC2 Loadbalancer. I can easily do this using the command line openssl tool, with the following commands: openssl genrsa 1024 > privatekey.pem openssl req -new -key privatekey.pem -out csr.pem openssl x509 -req -days 365 -in csr.pem -signkey privatekey.pem -out server.crt (For the second command I just leave all of the questions blanks. The files I actually use are: privatekey.pem and server.crt) I want to use pyopenssl to generate new a private key and certificate in the same format as the above. After several hours of playing around with pyopenssl and reading the documentation, I still have no clue how to do it. The closest I could get is: from OpenSSL import crypto req = crypto.X509Req() pkey = crypto.PKey() pkey.generate_key(crypto.TYPE_RSA, 1024) req.set_pubkey(pkey) req.sign(pkey, 'sha1') print crypto.dump_certificate_request(crypto.FILETYPE_PEM, req) print crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey) I think this should do the same thing as the command line, but it doesn't. Neither of the two required files are right. The length of their data strings are different. Also the header lines don't match. For the command line the two header are: "-----BEGIN CERTIFICATE-----" and "-----BEGIN RSA PRIVATE KEY-----". For pyopenssl, they are: "-----BEGIN CERTIFICATE REQUEST-----" and "-----BEGIN PRIVATE KEY-----". Any help is appreciated. Thanks. Toby -------------- next part -------------- An HTML attachment was scrubbed... URL: From Axel.Rau at l.chaos1.de Sat Sep 20 17:45:39 2014 From: Axel.Rau at l.chaos1.de (Axel J. Rau) Date: Sat, 20 Sep 2014 17:45:39 +0200 Subject: [pyOpenSSL-Users] certs, created with 0.14 fail to validate with PostgreSQL 9.3 client Message-ID: Hi all, server and client certs of my PostgreSQL infrastructure (created with pyopenssl 0.13 in Sep, 2013) worked perfectly. Now, after creating new server and client certs (after upgrading to pyopenssl 0.14), client certs are refused by pqlib with ?validation failed?. No problems with other applications. CA cert has not changed. PostgreSQL server+client is running on FreeBSD 9.2, CA is running on Darwin 10.8.0, both with openssl 0.9.8y with patches. - - - I.e. psql gives: psql: SSL error: certificate verify failed Both certs are validated ok by openssl: - - - openssl verify -verbose -CAfile ca_cert.pem -purpose sslserver /usr/local/pgsql/data-l/db1.in.chaos1.de_server_cert.pem /usr/local/pgsql/data-l/db1.in.chaos1.de_server_cert.pem: OK - - - openssl verify -verbose -CAfile ca_cert.pem -purpose sslclientdb1.in.chaos1.de_server_cert.pem db1.in.chaos1.de_server_cert.pem: OK - - - x509 extensions of server cert are - - - X509v3 Subject Key Identifier: E2:F8:B9:D0:94:F2:70:BD:BE:84:EE:5C:7B:45:95:47:E4:9F:49:3B X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: critical TLS Web Server Authentication X509v3 Subject Alternative Name: critical DNS:some.host, DNS:another host - - - and of client cert - - - X509v3 Subject Key Identifier: E2:F8:B9:D0:94:F2:70:BD:BE:84:EE:5C:7B:45:95:47:E4:9F:49:3B X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: critical TLS Web Client Authentication X509v3 Subject Alternative Name: critical DNS:some.host, DNS:another host - - - How can this be? What am I doing wrong? I could not find any clue, looking here https://github.com/postgres/postgres/blob/REL9_3_STABLE/src/backend/libpq/be-secure.c Thanks, Axel From exarkun at twistedmatrix.com Sat Sep 20 18:44:57 2014 From: exarkun at twistedmatrix.com (exarkun at twistedmatrix.com) Date: Sat, 20 Sep 2014 16:44:57 -0000 Subject: [pyOpenSSL-Users] Seems like no way to reproduce format from the command line In-Reply-To: References: Message-ID: <20140920164457.8045.1560786754.divmod.xquotient.13@top> On 19 Sep, 06:49 pm, toby at graphlab.com wrote: >Hi all - > > >I am trying to generate a Private Key and a corresponding self-signed >Public Key Certificate. These will be used to enable HTTPS on a AWS EC2 >Loadbalancer. I can easily do this using the command line openssl tool, >with the following commands: > >openssl genrsa 1024 > privatekey.pem >openssl req -new -key privatekey.pem -out csr.pem >openssl x509 -req -days 365 -in csr.pem -signkey privatekey.pem -out >server.crt `openssl x509 ...` writes out an X509 certificate - which is probably what you want. >(For the second command I just leave all of the questions blanks. The >files >I actually use are: privatekey.pem and server.crt) > >I want to use pyopenssl to generate new a private key and certificate >in >the same format as the above. After several hours of playing around >with >pyopenssl and reading the documentation, I still have no clue how to do >it. > >The closest I could get is: > >from OpenSSL import crypto >req = crypto.X509Req() >pkey = crypto.PKey() >pkey.generate_key(crypto.TYPE_RSA, 1024) >req.set_pubkey(pkey) >req.sign(pkey, 'sha1') >print crypto.dump_certificate_request(crypto.FILETYPE_PEM, req) `dump_certificate_request` writes an X509 certificate request, not an X509 certificate. If you want to generate a self-signed certificate then you don't need an X509Req instance at all. Just create an `X509` instance and sign and dump it, instead. Jean-Paul >print crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey) > >I think this should do the same thing as the command line, but it >doesn't. >Neither of the two required files are right. The length of their data >strings are different. Also the header lines don't match. For the >command >line the two header are: >"-----BEGIN CERTIFICATE-----" and "-----BEGIN RSA PRIVATE KEY-----". >For >pyopenssl, they are: "-----BEGIN CERTIFICATE REQUEST-----" and "----- >BEGIN >PRIVATE KEY-----". > >Any help is appreciated. Thanks. >Toby