On 7/28/2010 6:26 PM, geremy condra wrote:
On Wed, Jul 28, 2010 at 4:41 PM, Jeffrey
Gaynor<jgay...@ncsa.uiuc.edu> wrote:
Hi,
I am making a first large project in python and am having quite a
bit of difficulty unscrambling various python versions and what
they can/cannot do. To wit, I must communicate with certain
services via https and am required to perform certificate
verification on them.
The problem is that I also have to do this under CentOS 5.5 which
only uses python 2.4 as its default -- this is not negotiable. As
near as I can tell from reading various posts, the https client
does not do verification and there is no low-level SSL support to
provide a workaround. Near as I can tell from reading, 2.6 does
include this. Am I getting this right? Is there a simple way to do
this? More to the point, I need to know pretty darn quick if this
is impossible so we can try and plan for it.
So the quick question: Has anyone done certificate verification
using 2.4 and if so, how?
Thanks!
M2Crypto is the way to go here. I think there's an example on their
site.
M2Crypto does that job quite well. Installing M2Crypto tends to be
painful if you have to build it, though. See if you can find a pre-
built version.
You then need a "cacert.pem" file, with the root certificates you're
going to trust. You can get one from
http://curl.haxx.se/docs/caextract.html
which converts Mozilla's format to a .pem file once a week.
The actual Mozilla source file is at
http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt
but M2Crypto needs it in .pem format.
The new Python SSL module in 2.6 and later has a huge built-in
security hole - it doesn't verify the domain against the
certificate. As someone else put it, this means "you get to
talk securely with your attacker." As long as the site or proxy
has some valid SSL cert, any valid SSL cert copied from anywhere,
the new Python SSL module will tell you everything is just fine.
John Nagle
--
http://mail.python.org/mailman/listinfo/python-list
