Path: csiph.com!usenet.pasdenom.info!weretis.net!feeder1.news.weretis.net!feeder.erje.net!xlned.com!feeder5.xlned.com!newsfeed.xs4all.nl!newsfeed5.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail
Return-Path: <python-python-list@m.gmane.org>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.000
X-Spam-Evidence: '*H*': 1.00; '*S*': 0.00; 'elif': 0.04; 'ok.': 0.04; 'socket': 0.04; 'suppose': 0.05; 'https': 0.07; 'urllib2': 0.07; '%s"': 0.09; 'expired': 0.09; 'httplib': 0.09; 'indicates': 0.09; 'received:80.91': 0.09; 'received:80.91.229': 0.09; 'received:gmane.org': 0.09; 'received:list': 0.09; 'output': 0.10; 'def': 0.13; 'skip:f 30': 0.13; '"%s"': 0.16; '"%s"\'': 0.16; '%h:%m:%s': 0.16; '[errno': 0.16; 'certs': 0.16; 'itself;': 0.16; 'out?': 0.16; 'overrides': 0.16; 'pem': 0.16; 'pprint': 0.16; 'self.port),': 0.16; 'self.sock': 0.16; 'sock': 0.16; 'ssl,': 0.16; 'wrap': 0.18; 'checked': 0.21; 'apache': 0.21; 'trying': 0.21; 'connections': 0.21; 'pointed': 0.21; "doesn't": 0.22; 'fine': 0.24; 'obviously': 0.25; 'code': 0.26; 'import': 0.27; 'looks': 0.27; 'server.': 0.28; 'raise': 0.28; "i'm": 0.28; 'unknown': 0.29; 'class': 0.29; 'print': 0.29; 'correct': 0.29; 'server': 0.30; 'host': 0.30; 'skip:_ 70': 0.30; '(both': 0.30; 'wraps': 0.30; 'error': 0.30; 'skip:( 20': 0.31; 'version': 0.32; 'signed': 0.32; 'urls': 0.32; 'header:User-Agent:1': 0.33; 'match': 0.34; 'header:X-Complaints-To:1': 0.34; 'easiest': 0.34; 'ca,': 0.34; 'root': 0.34; 'ssl': 0.34; 'to:addr:python-list': 0.35; 'however,': 0.35; 'response': 0.36; 'received:org': 0.36; 'but': 0.37; 'using': 0.37; 'could': 0.38; 'getting': 0.38; 'should': 0.38; 'goes': 0.39; 'client': 0.40; 'being': 0.40; 'to:addr:python.org': 0.40; 'skip:s 40': 0.40; 'target': 0.63; 'alert': 0.64; 'details': 0.64; 'below.': 0.64; 'secure': 0.67; 'match,': 0.67; 'received:109': 0.78; 'verification': 0.78; 'format)': 0.91
X-Injected-Via-Gmane: http://gmane.org/
To: python-list@python.org
From: Robin Becker <robin@reportlab.com>
Subject: client ssl verification
Date: Thu, 15 Mar 2012 14:31:03 +0000
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Gmane-NNTP-Posting-Host: 109.174.168.73
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <http://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <http://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups: comp.lang.python
Message-ID: <mailman.679.1331821872.3037.python-list@python.org>
Lines: 91
NNTP-Posting-Host: 2001:888:2000:d::a6
X-Trace: 1331821872 news.xs4all.nl 6928 [2001:888:2000:d::a6]:58009
X-Complaints-To: abuse@xs4all.nl
Xref: csiph.com comp.lang.python:21677

I'm trying to do client ssl verification with code that looks like the sample 
below. I am able to reach and read urls that are secure and have no client 
certificate requirement OK. If I set explicit_check to True then verbose output 
indicates that the server certs are being checked fine ie I see the correct cert 
details and am able to check them.

However, when I try to reach an apache location like

<Location /media/secret>
     sslverifyclient require
     sslverifydepth 10
</Location>

I am getting an error from  urllib2 that goes like this

urllib2.py", line 1148, in do_open
     raise URLError(err)
URLError: <urlopen error [Errno 1] _ssl.c:1347: error:14094418:SSL 
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

I am using the server.crt and server.key (both in PEM format) from the target 
server itself; I reasoned that should be the easiest combo for the client & 
server to match, but I am obviously wrong. Any obvious stupidities to be pointed 
out? I suppose I could create a new cert/key based on a self signed ca, but that 
would not work properly for the other parts of the server.

> import socket, ssl, fnmatch, datetime, urllib2, httplib
> verbose=False
>
> # wraps https connections with ssl certificate verification
> class SecuredHTTPSHandler(urllib2.HTTPSHandler):
>   def __init__(self,key_file=None,cert_file=None,ca_certs=None,explicit_check=False):
>     class SecuredHTTPSConnection(httplib.HTTPSConnection):
>       def connect(self):
>         # overrides the version in httplib so that we do
>         #  certificate verification
>         sock = socket.create_connection((self.host, self.port), self.timeout)
>         if self._tunnel_host:
>           self.sock = sock
>           self._tunnel()
>         # wrap the socket using verification with the root
>         #  certs in ca_certs
>         if verbose:
>           print ca_certs, key_file, cert_file
>         self.sock = ssl.wrap_socket(sock,
>                       cert_reqs=ssl.CERT_REQUIRED,
>                       ca_certs=ca_certs,
>                       keyfile=key_file,
>                       certfile=cert_file,
>                       )
>         if explicit_check:
>           cert = self.sock.getpeercert()
>           if verbose:
>             import pprint
>             pprint.pprint(cert)
>           for key,field in cert.iteritems():
>             if key=='subject':
>               sd = dict([x[0] for x in field])
>               certhost = sd.get('commonName')
>               if not fnmatch.fnmatch(self.host,certhost):
>                 raise ssl.SSLError("Host name '%s' doesn't match certificate host '%s'"
>                      % (self.host, certhost))
>               if verbose:
>                 print 'matched "%s" to "%s"'  % (self.host,certhost)
>             elif key=='notAfter':
>               now = datetime.datetime.now()
>               crttime = datetime.datetime.strptime(field,'%b %d %H:%M:%S %Y %Z')
>               if verbose:
>                 print 'crttime=%s now=%s' % (crttime,now)
>               if now>=crttime:
>                 raise ssl.SSLError("Host '%s' certificate expired on %s"
>                        % (self.host, field))
>     self.specialized_conn_class = SecuredHTTPSConnection
>     urllib2.HTTPSHandler.__init__(self)
>
>   def https_open(self, req):
>     return self.do_open(self.specialized_conn_class, req)
>
> def secureDataGet(uri,ca_certs='cacert.pem',key_file=None,cert_file=None, explicit_check=False):
>   https_handler = SecuredHTTPSHandler(key_file=key_file,cert_file=cert_file,
>             ca_certs=ca_certs,explicit_check=explicit_check)
>   url_opener = urllib2.build_opener(https_handler)
>   handle = url_opener.open(uri)
>   response = handle.readlines()
>   handle.close()
>   return response


-- 
Robin Becker