[PYTHON-CRYPTO] Custom SSL verification callbacks should now work
Thomas D. Uram
turam at MCS.ANL.GOV
Mon Jun 13 19:44:14 CEST 2005
I'm running the latest m2crypto source from subversion with swig 1.3.24, using the echo
demos, and SSL.cb.ssl_verify_callback, which is of the older five-argument form, does not
work.
I'm running demo/ssl/echo.py against demo/ssl/echod-iterative.py. echo.py calls
set_verify to set SSL.cb.ssl_verify_callback, and fails like so:
LOOP: SSL connect: before/connect initialization
LOOP: SSL connect: SSLv3 write client hello A
LOOP: SSL connect: SSLv3 read server hello A
/home/turam/lib/python2.3/site-packages/M2Crypto/SSL/Connection.py:124:
DeprecationWarning: Old style callback, use cb_func(ok, store) instead
return m2.ssl_connect(self.ssl)
in ssl_verify_callback
Traceback (most recent call last):
File "echo.py", line 39, in ?
s.connect((host, port))
File "/home/turam/lib/python2.3/site-packages/M2Crypto/SSL/Connection.py", line 131, in
connect
ret = self.connect_ssl()
File "/home/turam/lib/python2.3/site-packages/M2Crypto/SSL/Connection.py", line 124, in
connect_ssl
return m2.ssl_connect(self.ssl)
M2Crypto.SSL.SSLError: certificate verify failed
Examining the exception that occurs in ssl_verify_callback, I found that the map in
Context.py from C objects to python objects doesn't include the C context object passed
into the verify callback (as ssl_ctx_ptr). That's as far as I chased it.
If I replace ssl_verify_callback with my own custom verify_callback, of either the two-arg
or five-arg form:
def verify_callback(ok,store):
return ok
def fiveargs_verify_callback(ctx_ptr,x509_ptr,errnum,errdrpth,ok):
return ok
it works fine.
Tom
On 06/01/05 17:32, Heikki Toivonen wrote:
> Phew, this turned out to be more complicated than I originally thought.
> Anyway, now you should be able to set a custom SSL verification callback
> with
>
> def verify_cb(ok, store):
> # Do my custom verification
> return ok
>
> ctx = SSL.Context()
> ctx.set_verify(SSL.verify_peer | SSL.verify_fail_if_no_peer_cert, 9,
> verify_cb)
>
> Previously that crashed on me every time. Both the new style callback
> and the old style callback with 5 arguments are supported, and
> everything should be backwards compatible. The 5 argument version is
> deprecated.
>
> I would be interested to hear if:
>
> 1) You experience any problems with this
> 2) You were actually using the custom callback successfully before
>
> --
> Heikki Toivonen
>
>
More information about the python-crypto
mailing list