Heikki Toivonen wrote:
> John Nagle wrote:
>
>> A list of small problems and bugs in the current M2Crypto:
>>I need to look at SSL certificates in some detail, so this
>>is all about the access functions for certificates.
>
>
> Thanks, got the reports, will check them out.
>
>
>> 3. /M2Crypto/SSL/Connection.py:147:
>> DeprecationWarning: Old style callback, use cb_func(ok, store)
>> instead return m2.ssl_connect(self.ssl)
>> (Also reported, in Polish, here:
>>http://www.mail-archive.com/pld-devel-pl@lists.pld-linux.org/msg12433.html)
>> Entered into Bugzilla as #7718.
>
>
> This is actually intended. Once I figure out how to implement all the
> functionality in the new way I'd like to remove the old way.
OK.
>> 4. "close()" on an SSL socket that's just finished certificate
>> negotiation hangs, at least on Windows.
>
> No known issues, but the ending of an SSL connection is a little grey
> area to me so I wouldn't be surprised if there are some cases where we
> shut down prematurely or too late. But I don't know why we'd hang.
I'll check that again.
>
>
>> 1. X509.X509_name.__getattr__:
>> Field retrieval from X.509 name items with x509_name_by_nid
>> retrieves only first instance of field, not all instances.
>
> Yes, I've been battling with this myself as well. OpenSSL provides
> objects to get things as a list, but they are so weird I haven't yet
> figured out a way to wrap them in Python so that you would actually be
> able to get some values out.
I convert X509_name items to a list of tuples. Here's an example:
Server: [
('CN', 'www.apartmentsapart.com'),
('OU', 'Travel Services'),
('O', 'Niche Travel Ltd.'),
('L', 'Nicosia'),
('ST', 'Nicosia'),
('C', 'CY')]
That's straightforward.
But to do this I have to convert the X509_name item to a string, like this:
subjectstr = subject.as_text(flags=(m2.XN_FLAG_RFC2253 |
m2.ASN1_STRFLGS_UTF8_CONVERT) & ~m2.XN_FLAG_DUMP_UNKNOWN_FIELDS)
which yields a string of items like "L=Nicosia, OU=Travel Services", with
backslash escapes where necessary. (The default formatting does not
have proper escaping; it's just for debug use.) So I parse that,
obeying the escapes, and get out the tuples. This works OK, but
shouldn't be necessary. It's not something I need now, though.
Most things in X509 certificates map well to lists of tuples.
>> 2. Unclear if M2Crypto's X.509 interface is UTF-8 compatible.
>> OpenSSL will return info in UTF-8 if you use the
>> ASN1_STRFLGS_UTF8_CONVERT flag on as_text, but unclear if the
>> M2 glue code handles this correctly. Haven't found a UTF8 cert
>> to test it on yet.
>
>
> Yeah, I am not convinced everything works as it should. Any UTF8 (and
> other encoding) samples would be welcome.
Looking for one. I think all that's needed is to recognize when
ASN1_STRFLGS_UTF8_CONVERT is set when converting to a Python string,
and convert to the appropriate form of Python string.
Just rediscovered bug #5277, "Support certificates with multiple DNS
names", which is fixed in 0.18. Looking forward to version 0.18.
If you want to test that, try to open "https://www.autumngalleryforthehome.com";.
John Nagle
--
http://mail.python.org/mailman/listinfo/python-list
