Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]


Groups > comp.lang.python > #8817 > unrolled thread

Secure ssl connection with wrap_socket

Started byAndrea Di Mario <anddimario@gmail.com>
First post2011-07-05 10:52 +0200
Last post2011-07-06 06:53 -0700
Articles 4 — 3 participants

Back to article view | Back to comp.lang.python


Contents

  Secure ssl connection with wrap_socket Andrea Di Mario <anddimario@gmail.com> - 2011-07-05 10:52 +0200
    Re: Secure ssl connection with wrap_socket Jean-Paul Calderone <calderone.jeanpaul@gmail.com> - 2011-07-05 07:08 -0700
      Re: Secure ssl connection with wrap_socket AndDM <anddimario@gmail.com> - 2011-07-06 01:44 -0700
        Re: Secure ssl connection with wrap_socket Jean-Paul Calderone <calderone.jeanpaul@gmail.com> - 2011-07-06 06:53 -0700

#8817 — Secure ssl connection with wrap_socket

FromAndrea Di Mario <anddimario@gmail.com>
Date2011-07-05 10:52 +0200
SubjectSecure ssl connection with wrap_socket
Message-ID<mailman.625.1309855979.1164.python-list@python.org>
Hi, I'm a new python user and I'm writing a small web service with ssl.
I want use a self-signed certificate like in wiki:
http://docs.python.org/dev/library/ssl.html#certificates
I've used wrap_socket, but if i try to use
cert_reqs=ssl.CERT_REQUIRED, it doesn't work with error:

urllib2.URLError: <urlopen error _ssl.c:326: No root certificates
specified for verification of other-side certificates.>

It works only with CERT_NONE (the default) but with this option i
could access to the service in insicure mode.

Have you some suggestions for my service?

Thanks. Regards.

-- 
Andrea Di Mario

[toc] | [next] | [standalone]


#8825

FromJean-Paul Calderone <calderone.jeanpaul@gmail.com>
Date2011-07-05 07:08 -0700
Message-ID<898d98ba-5245-46ba-8058-987297ab3c48@s17g2000yqs.googlegroups.com>
In reply to#8817
On Jul 5, 4:52 am, Andrea Di Mario <anddima...@gmail.com> wrote:
> Hi, I'm a new python user and I'm writing a small web service with ssl.
> I want use a self-signed certificate like in wiki:http://docs.python.org/dev/library/ssl.html#certificates
> I've used wrap_socket, but if i try to use
> cert_reqs=ssl.CERT_REQUIRED, it doesn't work with error:
>
> urllib2.URLError: <urlopen error _ssl.c:326: No root certificates
> specified for verification of other-side certificates.>
>
> It works only with CERT_NONE (the default) but with this option i
> could access to the service in insicure mode.
>
> Have you some suggestions for my service?
>

Also specify some root certificates to use in verifying the peer's
certificate.  Certificate verification works by proceeding from a
collection of "root" certificates which are explicitly trusted.  These
are used to sign other certificates (which may in turn be used to sign
others, which in turn...).  The process of certificate verification is
the process of following the signatures from the certificate in use by
the server you connect to back up the chain until you reach a root
which you have either decided to trust or not.  If the signatures are
all valid and the root is one you trust, then you have established a
connection to a trusted entity.  If any signature is invalid, or the
root is not one you trust, then you have not.

The root certificates are also called the "ca certificates" or
"certificate authority certificates".  `wrap_socket` accepts a
`ca_certs` argument.  See http://docs.python.org/library/ssl.html#ssl-certificates
for details about that argument.

Jean-Paul

[toc] | [prev] | [next] | [standalone]


#8919

FromAndDM <anddimario@gmail.com>
Date2011-07-06 01:44 -0700
Message-ID<742ddcd0-37d1-4009-a82b-c12cd3b7c43f@b2g2000vbo.googlegroups.com>
In reply to#8825
On Jul 5, 4:08 pm, Jean-Paul Calderone <calderone.jeanp...@gmail.com>
wrote:
> On Jul 5, 4:52 am, Andrea Di Mario <anddima...@gmail.com> wrote:
>
> > Hi, I'm a new python user and I'm writing a small web service with ssl.
> > I want use a self-signed certificate like in wiki:http://docs.python.org/dev/library/ssl.html#certificates
> > I've used wrap_socket, but if i try to use
> > cert_reqs=ssl.CERT_REQUIRED, it doesn't work with error:
>
> > urllib2.URLError: <urlopen error _ssl.c:326: No root certificates
> > specified for verification of other-side certificates.>
>
> > It works only with CERT_NONE (the default) but with this option i
> > could access to the service in insicure mode.
>
> > Have you some suggestions for my service?
>
> Also specify some root certificates to use in verifying the peer's
> certificate.  Certificate verification works by proceeding from a
> collection of "root" certificates which are explicitly trusted.  These
> are used to sign other certificates (which may in turn be used to sign
> others, which in turn...).  The process of certificate verification is
> the process of following the signatures from the certificate in use by
> the server you connect to back up the chain until you reach a root
> which you have either decided to trust or not.  If the signatures are
> all valid and the root is one you trust, then you have established a
> connection to a trusted entity.  If any signature is invalid, or the
> root is not one you trust, then you have not.
>
> The root certificates are also called the "ca certificates" or
> "certificate authority certificates".  `wrap_socket` accepts a
> `ca_certs` argument.  Seehttp://docs.python.org/library/ssl.html#ssl-certificates
> for details about that argument.
>
> Jean-Paul

Hi Jean-Paul, i thought that with self-signed certificate i shouldn't
use ca_certs option. Now, i've created a ca-authority and i use this
command:

 self.sock = ssl.wrap_socket(sock, certfile = "ca/certs/
myfriend.cert.pem", keyfile = "ca/private/myfriend.key.pem",
ca_certs="/home/andrea/ca/certs/cacert.pem",
cert_reqs=ssl.CERT_REQUIRED)

When i use the some machine as client-server it works, but, when i use
another machine as client, i've this:

Traceback (most recent call last):
  File "loginsender.py", line 48, in <module>
    handle = url_opener.open('https://debian.andrea.it:10700/%s+%s' %
(DATA,IPIN))
  File "/usr/lib/python2.6/urllib2.py", line 391, in open
    response = self._open(req, data)
  File "/usr/lib/python2.6/urllib2.py", line 409, in _open
    '_open', req)
  File "/usr/lib/python2.6/urllib2.py", line 369, in _call_chain
    result = func(*args)
  File "loginsender.py", line 33, in https_open
    return self.do_open(self.specialized_conn_class, req)
  File "/usr/lib/python2.6/urllib2.py", line 1145, in do_open
    raise URLError(err)
urllib2.URLError: <urlopen error [Errno 185090050] _ssl.c:328: error:
0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib>

I see that i should create a certificate with server, client and ca
autority, but i haven't clear the ca_certs option and which path i
should use.
Have you any suggestion?

Thank. Regards.

[toc] | [prev] | [next] | [standalone]


#8938

FromJean-Paul Calderone <calderone.jeanpaul@gmail.com>
Date2011-07-06 06:53 -0700
Message-ID<c0011b01-d9a3-4915-841d-3b72796a77eb@bl1g2000vbb.googlegroups.com>
In reply to#8919
On Jul 6, 4:44 am, AndDM <anddima...@gmail.com> wrote:
> On Jul 5, 4:08 pm, Jean-Paul Calderone <calderone.jeanp...@gmail.com>
> wrote:
>
>
>
> > On Jul 5, 4:52 am, Andrea Di Mario <anddima...@gmail.com> wrote:
>
> > > Hi, I'm a new python user and I'm writing a small web service with ssl.
> > > I want use a self-signed certificate like in wiki:http://docs.python.org/dev/library/ssl.html#certificates
> > > I've used wrap_socket, but if i try to use
> > > cert_reqs=ssl.CERT_REQUIRED, it doesn't work with error:
>
> > > urllib2.URLError: <urlopen error _ssl.c:326: No root certificates
> > > specified for verification of other-side certificates.>
>
> > > It works only with CERT_NONE (the default) but with this option i
> > > could access to the service in insicure mode.
>
> > > Have you some suggestions for my service?
>
> > Also specify some root certificates to use in verifying the peer's
> > certificate.  Certificate verification works by proceeding from a
> > collection of "root" certificates which are explicitly trusted.  These
> > are used to sign other certificates (which may in turn be used to sign
> > others, which in turn...).  The process of certificate verification is
> > the process of following the signatures from the certificate in use by
> > the server you connect to back up the chain until you reach a root
> > which you have either decided to trust or not.  If the signatures are
> > all valid and the root is one you trust, then you have established a
> > connection to a trusted entity.  If any signature is invalid, or the
> > root is not one you trust, then you have not.
>
> > The root certificates are also called the "ca certificates" or
> > "certificate authority certificates".  `wrap_socket` accepts a
> > `ca_certs` argument.  Seehttp://docs.python.org/library/ssl.html#ssl-certificates
> > for details about that argument.
>
> > Jean-Paul
>
> Hi Jean-Paul, i thought that with self-signed certificate i shouldn't
> use ca_certs option. Now, i've created a ca-authority and i use this
> command:
>
>  self.sock = ssl.wrap_socket(sock, certfile = "ca/certs/
> myfriend.cert.pem", keyfile = "ca/private/myfriend.key.pem",
> ca_certs="/home/andrea/ca/certs/cacert.pem",
> cert_reqs=ssl.CERT_REQUIRED)
>
> When i use the some machine as client-server it works, but, when i use
> another machine as client, i've this:
>
> Traceback (most recent call last):
>   File "loginsender.py", line 48, in <module>
>     handle = url_opener.open('https://debian.andrea.it:10700/%s+%s'%
> (DATA,IPIN))
>   File "/usr/lib/python2.6/urllib2.py", line 391, in open
>     response = self._open(req, data)
>   File "/usr/lib/python2.6/urllib2.py", line 409, in _open
>     '_open', req)
>   File "/usr/lib/python2.6/urllib2.py", line 369, in _call_chain
>     result = func(*args)
>   File "loginsender.py", line 33, in https_open
>     return self.do_open(self.specialized_conn_class, req)
>   File "/usr/lib/python2.6/urllib2.py", line 1145, in do_open
>     raise URLError(err)
> urllib2.URLError: <urlopen error [Errno 185090050] _ssl.c:328: error:
> 0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib>
>
> I see that i should create a certificate with server, client and ca
> autority, but i haven't clear the ca_certs option and which path i
> should use.
> Have you any suggestion?

You need to have the CA certificate on any machine that is going to
verify the certificate used on the SSL connection.  The path just
needs to be the path to that CA certificate on the client machine.

Jean-Paul

[toc] | [prev] | [standalone]


Back to top | Article view | comp.lang.python


csiph-web