A list of small problems and bugs in the current M2Crypto:
I need to look at SSL certificates in some detail, so this
is all about the access functions for certificates.
Bugs:
1. Off by one error at "X509.get_ext_count()". Reports
eight extensions on a certificate that only has seven.
get_ext_at works for extensions 0..6, then returns
an undefined for the nonexistent #7.
Test against "https://www.verisign.com";.
Entered into Bugzilla as #7717.
3. /M2Crypto/SSL/Connection.py:147:
DeprecationWarning: Old style callback, use cb_func(ok, store)
instead return m2.ssl_connect(self.ssl)
(Also reported, in Polish, here:
http://www.mail-archive.com/pld-devel-pl@lists.pld-linux.org/msg12433.html)
Entered into Bugzilla as #7718.
4. "close()" on an SSL socket that's just finished certificate
negotiation hangs, at least on Windows. "del" does not hang,
but I don't know if there's a leak problem.
Not enough info yet to file a bug report. I might be doing
something wrong there. Any known "close" issues?
Other issues:
1. X509.X509_name.__getattr__:
Field retrieval from X.509 name items with x509_name_by_nid
retrieves only first instance of field, not all instances.
Really should return a list. The same key is used more
than once very frequently; these keys aren't unique.
It's tempting to treat these things like a hash, but they
don't really work that way. As for simply iterating through
the name elements, there's no direct way to just get the
elements one at a time. X509_Name has an "entry_count"
method, but no way to get the Nth entry.
As a workaround, I'm converting the X508_name to a string with
subjectstr = peer.get_subject().as_text(
flags=(m2.XN_FLAG_RFC2253 | m2.ASN1_STRFLGS_UTF8_CONVERT)
& ~m2.XN_FLAG_DUMP_UNKNOWN_FIELDS) # in RFC2253 format
This is safely parseable. While the default format doesn't have
escapes around the delimiter characters, with these flags,
entries are comma-separated with backslash escapes where
necessary. This works, unlike the "server()" function in
Python's built-in SSL, which returns a debug format that
has the same characters as delimiters and text.
2. Unclear if M2Crypto's X.509 interface is UTF-8 compatible.
OpenSSL will return info in UTF-8 if you use the
ASN1_STRFLGS_UTF8_CONVERT flag on as_text, but unclear if the
M2 glue code handles this correctly. Haven't found a UTF8 cert
to test it on yet.
Other than that, I'm having relatively good results with M2Crypto.
John Nagle
--
http://mail.python.org/mailman/listinfo/python-list
