On 04/08/2017 15:12, Irmen de Jong wrote:
On 04/08/2017 15:44, Robin Becker wrote:
..........
You can specify a CAcert using load_verify_locations on the ssl context. Is 
that what
you meant? I figured out that if you set that to the peer's certificate it will 
then be

yes I think so. Certainly the self signed certs I tried with python3 urllib seemed to require valid hostnames. If I just use this as server


from http.server import HTTPServer, BaseHTTPRequestHandler, 
SimpleHTTPRequestHandler
import ssl


httpd = HTTPServer(('localhost', 4443), SimpleHTTPRequestHandler)

httpd.socket = ssl.wrap_socket (httpd.socket,
        keyfile="/home/rptlab/tmp/key.pem",
        certfile='/home/rptlab/tmp/cert.pem', server_side=True)

httpd.serve_forever()

and this as requester

from urllib import request
req = request.urlopen('https://localhost:4443',
                       cafile='/home/rptlab/tmp/cert.pem')
print(req.read())


then provided the self signed cert has the name localhost requests can be made 
OK.

I'm guessing this would also work OK if the cert had multiple names embedded in it which would allow a small cluster to be used.

I don't know which part of the socket does the host name checking, but perhaps that can be turned off somewhere.


accepted.  I understand it as much as "hey openssl here is a root cert that you 
should
trust if you encounter it".
Without doing this, the cert is denied on the SSL level (unless you set the ssl 
options
to no-cert-required but that is definitely not what I wanted)

Bottom line is I learned something new :)

And also that Python's standard ssl library isn't as bad as I remember it to be 
a few
years ago.  Is there still a reason to use, say, PyOpenSSL anymore?

it's getting better any how.


Irmen


--
Robin Becker

--
https://mail.python.org/mailman/listinfo/python-list

Reply via email to