Path: csiph.com!x330-a1.tempe.blueboxinc.net!newsfeed.hal-mli.net!feeder3.hal-mli.net!news.glorb.com!newsfeed.xs4all.nl!newsfeed6.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.013 X-Spam-Evidence: '*H*': 0.97; '*S*': 0.00; 'subject:module': 0.04; 'https': 0.07; 'python': 0.08; 'obsolete': 0.09; 'received:80.91': 0.09; 'received:80.91.229': 0.09; 'received:80.91.229.12': 0.09; 'received:gmane.org': 0.09; 'received:list': 0.09; 'received:lo.gmane.org': 0.09; 'extensions': 0.15; '(ideally': 0.16; 'certificate.': 0.16; 'cookies': 0.16; 'phrasing': 0.16; 'subject:SSL': 0.16; 'wrote:': 0.16; '(but': 0.21; 'subject:information': 0.21; "doesn't": 0.22; 'header:In-Reply- To:1': 0.22; 'module,': 0.23; 'pm,': 0.24; 'server': 0.29; 'module.': 0.29; '(and': 0.29; 'module': 0.30; 'xmlrpc': 0.30; "can't": 0.33; 'there': 0.33; 'to:addr:python-list': 0.33; 'decide': 0.33; 'header:User-Agent:1': 0.34; 'ssl': 0.34; 'header:X-Complaints-To:1': 0.35; 'using': 0.37; 'but': 0.37; 'received:org': 0.38; 'allows': 0.38; 'accepted': 0.38; 'subject:: ': 0.39; 'client': 0.39; 'header:Mime-Version:1': 0.39; 'basic': 0.39; 'session': 0.39; 'data': 0.39; 'to:addr:python.org': 0.39; "it's": 0.40; 'your': 0.61; 'custom': 0.61; 'john': 0.62; 'alternative': 0.64; 'back,': 0.64; 'subject.': 0.64; 'information,': 0.65; 'safe': 0.69; 'serious': 0.78; '08:10': 0.84; 'cert.': 0.84; 'issuer': 0.84; 'john,': 0.84; 'phony': 0.84 X-Injected-Via-Gmane: http://gmane.org/ To: python-list@python.org From: Gelonida N Subject: Re: SSL module needs issuer information Date: Sun, 04 Sep 2011 02:15:32 +0200 References: <4e626d97$0$1665$742ec2ed@news.sonic.net> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Gmane-NNTP-Posting-Host: unicorn.dungeon.de User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.20) Gecko/20110805 Lightning/1.0b2 "" In-Reply-To: <4e626d97$0$1665$742ec2ed@news.sonic.net> X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 36 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1315095349 news.xs4all.nl 2399 [2001:888:2000:d::a6]:32770 X-Complaints-To: abuse@xs4all.nl Xref: x330-a1.tempe.blueboxinc.net comp.lang.python:12727 Hi John, On 09/03/2011 08:10 PM, John Nagle wrote: > The SSL module still doesn't return much information from the > certificate. SSLSocket.getpeercert only returns a few basic items > about the certificate subject. You can't retrieve issuer information, > and you can't get the extensions needed to check if a cert is an EV cert. > > With the latest flaps about phony cert issuers, it's worth > having issuer info available. It was available in the old M2Crypto > module, but not in the current Python SSL module. Your phrasing 'old M2Crypto' disturbs me slightly. I am using Python 2.6. Is M2Crypto also obsolete for python 2.6? Is there any serious alternative if I want to verify the server certificate in a safe way (and if I want to send a client certificate)?? I am in search for a set of libraries, which allows me to: - verify the server certificate (ideally via a custom call back, which can inspect the certificate data and then decide whether the certificate shall be accepted or not) - send a client certificate - use https with a cookie jar (ideally even persistent, but session cookies are enough) - do XMLRPC calls (but send cookies in the headers) Would m2crypto be the right choice?