I've been playing with the new SSL module, and so far it works great.

However, when using it to connect to a host with a self signed
certificate, verification fails when I specify ssl.CERT_REQUIRED (as
expected).

I know that I'm connecting to a host with a self signed certificate, so
I want to be able to ignore that error. At the moment, the only option I
see is to specify ssl.CERT_NONE and verify the DER certificate by hand.

It would be great if I could specify a callback function that can ignore
certain errors, and does additional checking.

On the client side, are you passing a ca_certs file with the self-signed
certificate in it?  If not, the library won't be able to validate the
certificate enough to be able to see the data in it.  But if you do
that, you should be able to see the bits of the certificate.  There's no
point to seeing the bits of an unvalidated certificate, because they may
be forged.  So the library doesn't allow you to see the bits of an
unvalidated certificate from the other side of the connection.

Hi Bill,

When I include the server certificate in ca_certs, verification
succeeds, and I can view the peer certificate dict with getpeercert(False)

When I set ca_certs to none and ssl.CERT_NONE, I can still call
getpeercert(True) and call DER_cert_to_PEM_cert to get the same PEM
certificate.

SSL is all new to me, so forgive me if I talk nonsense, but what I'm
trying to do is the following:

I receive a key from Bob which is a digest of his servers certificate.
To make sure I'm really talking to Bob I need to decrypt his servers
signature with his public key and check the resulting digest against my
key. So I have to ignore failures like
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT and
X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, but detect things like
X509_V_ERR_CERT_SIGNATURE_FAILURE.

The idea is based on what foolscap is doing with FURLS
(http://foolscap.lothar.com/trac)

Am I making sense?

Yep, it looks like you're on the right track.  I'll close this bug.

Bill

On Wed, May 14, 2008 at 12:51 PM, Ruben Kerkhof <report@bugs.python.org>
wrote:

>
> Ruben Kerkhof <ruben@rubenkerkhof.com> added the comment:
>
> Hi Bill,
>
> When I include the server certificate in ca_certs, verification
> succeeds, and I can view the peer certificate dict with getpeercert(False)
>
> When I set ca_certs to none and ssl.CERT_NONE, I can still call
> getpeercert(True) and call DER_cert_to_PEM_cert to get the same PEM
> certificate.
>
> SSL is all new to me, so forgive me if I talk nonsense, but what I'm
> trying to do is the following:
>
> I receive a key from Bob which is a digest of his servers certificate.
> To make sure I'm really talking to Bob I need to decrypt his servers
> signature with his public key and check the resulting digest against my
> key. So I have to ignore failures like
> X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT and
> X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, but detect things like
> X509_V_ERR_CERT_SIGNATURE_FAILURE.
>
> The idea is based on what foolscap is doing with FURLS
> (http://foolscap.lothar.com/trac)
>
> Am I making sense?
>
> __________________________________
> Tracker <report@bugs.python.org>
> <http://bugs.python.org/issue2838>
> __________________________________
>