[PYTHON-CRYPTO] Custom SSL verification callbacks should now work

Thomas D. Uram turam at MCS.ANL.GOV
Mon Jun 13 19:44:14 CEST 2005 

I'm running the latest m2crypto source from subversion with swig 1.3.24, using the echo
demos, and SSL.cb.ssl_verify_callback, which is of the older five-argument form, does not
work.

I'm running demo/ssl/echo.py against demo/ssl/echod-iterative.py.  echo.py calls
set_verify to set SSL.cb.ssl_verify_callback, and fails like so:

LOOP: SSL connect: before/connect initialization
LOOP: SSL connect: SSLv3 write client hello A
LOOP: SSL connect: SSLv3 read server hello A
/home/turam/lib/python2.3/site-packages/M2Crypto/SSL/Connection.py:124:
DeprecationWarning: Old style callback, use cb_func(ok, store) instead
  return m2.ssl_connect(self.ssl)
in ssl_verify_callback
Traceback (most recent call last):
  File "echo.py", line 39, in ?
    s.connect((host, port))
  File "/home/turam/lib/python2.3/site-packages/M2Crypto/SSL/Connection.py", line 131, in
connect
    ret = self.connect_ssl()
  File "/home/turam/lib/python2.3/site-packages/M2Crypto/SSL/Connection.py", line 124, in
connect_ssl
    return m2.ssl_connect(self.ssl)
M2Crypto.SSL.SSLError: certificate verify failed

Examining the exception that occurs in ssl_verify_callback, I found that the map in
Context.py from C objects to python objects doesn't include the C context object passed
into the verify callback (as ssl_ctx_ptr).  That's as far as I chased it.

If I replace ssl_verify_callback with my own custom verify_callback, of either the two-arg
or five-arg form:

def verify_callback(ok,store):
    return ok

def fiveargs_verify_callback(ctx_ptr,x509_ptr,errnum,errdrpth,ok):
    return ok

it works fine.

Tom


On 06/01/05 17:32, Heikki Toivonen wrote:
> Phew, this turned out to be more complicated than I originally thought.
> Anyway, now you should be able to set a custom SSL verification callback
> with
> 
> def verify_cb(ok, store):
>     # Do my custom verification
>     return ok
> 
> ctx = SSL.Context()
> ctx.set_verify(SSL.verify_peer | SSL.verify_fail_if_no_peer_cert, 9,
> verify_cb)
> 
> Previously that crashed on me every time. Both the new style callback
> and the old style callback with 5 arguments are supported, and
> everything should be backwards compatible. The 5 argument version is
> deprecated.
> 
> I would be interested to hear if:
> 
> 1) You experience any problems with this
> 2) You were actually using the custom callback successfully before
> 
> --
>   Heikki Toivonen
> 
>

More information about the python-crypto mailing list