openssl 0.9.5a and python 1.6a2

frl3 at my-deja.com frl3 at my-deja.com
Fri Jul 14 17:22:59 EDT 2000 

In article <396F2797.D0D3387B at free.fr>,
  Martin Carpenter <mcarpenter at free.fr> wrote:
> falk.lehmann at gmx.net wrote:
>
> > I build python 1.6a2 and included the SSL support. I am using the
> > openssl library 0.9.5a on a NT box.
> [snip]
> > But the proxy replies with an error message:
> [snip]
> > The requested item could not be loaded by the proxy.<P>
> > The certificate issuer for this server is not recognized by
> > Netscape. The security certificate may or may not be valid.
> [snip]
> > It seems that some certificate is missing. How do I make openssl
aware
> > of the certificates delivered with the distribution? Or is the error
> > somewhere else?
>
> Sounds suspiciously like it's the *proxy* that doesn't recognise the
CA
> that signed cardfile.com's certificate. So:
>
> (a) Can you access this site using a standard browser and the same
> proxy? This would eliminate the proxy from the equation.

no problem with a standard browser.

> (b) What certificate does cardfile.com present? Who is the issuer?
> (Trying, for example going to that site and then examing the security
> properies of that page with your browser - the "padlock" icon in
> Navigator, for example). [I'm offline at the moment].

the issuer is Thawte (Thawte Server CA). this certificate was not
contained in the certs directory of the openssl package. so I exported
it from the MS-IE database. but that didn't help.

> (c) I've not been around OpenSSL for a while (0.7 was the last I
> tinkered with, I think), but the standard issuer certificates didn't
> used to be "built in".

not the certificates, but maybe the path to the certificates is built
in?

> It was up to the application developer to
provide
> the code to verify the validity of any certificate presented.
Therefore,
> your application *should* contain copies of all the issuer
certificates
> for the CAs that you wish to support. (Navigator 4.73, NT4.0, contains
> 70 or so of these "signer" certificates!).

any ideas that help?

Falk


Sent via Deja.com http://www.deja.com/
Before you buy.

More information about the Python-list mailing list