Message 66827 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	ruben
Recipients	janssen, ruben
Date	2008-05-14.19:51:23
SpamBayes Score	0.04251881
Marked as misclassified	No
Message-id	<1210794708.63.0.0984724284658.issue2838@psf.upfronthosting.co.za>
In-reply-to

Content
Hi Bill, When I include the server certificate in ca_certs, verification succeeds, and I can view the peer certificate dict with getpeercert(False) When I set ca_certs to none and ssl.CERT_NONE, I can still call getpeercert(True) and call DER_cert_to_PEM_cert to get the same PEM certificate. SSL is all new to me, so forgive me if I talk nonsense, but what I'm trying to do is the following: I receive a key from Bob which is a digest of his servers certificate. To make sure I'm really talking to Bob I need to decrypt his servers signature with his public key and check the resulting digest against my key. So I have to ignore failures like X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT and X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, but detect things like X509_V_ERR_CERT_SIGNATURE_FAILURE. The idea is based on what foolscap is doing with FURLS (http://foolscap.lothar.com/trac) Am I making sense?

Hi Bill,

When I include the server certificate in ca_certs, verification
succeeds, and I can view the peer certificate dict with getpeercert(False)

When I set ca_certs to none and ssl.CERT_NONE, I can still call
getpeercert(True) and call DER_cert_to_PEM_cert to get the same PEM
certificate.

SSL is all new to me, so forgive me if I talk nonsense, but what I'm
trying to do is the following:

I receive a key from Bob which is a digest of his servers certificate.
To make sure I'm really talking to Bob I need to decrypt his servers
signature with his public key and check the resulting digest against my
key. So I have to ignore failures like
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT and
X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, but detect things like
X509_V_ERR_CERT_SIGNATURE_FAILURE.

The idea is based on what foolscap is doing with FURLS
(http://foolscap.lothar.com/trac)

Am I making sense?

History
Date	User	Action	Args
2008-05-14 19:51:50	ruben	set	spambayes_score: 0.0425188 -> 0.04251881 recipients: + ruben, janssen
2008-05-14 19:51:48	ruben	set	spambayes_score: 0.0425188 -> 0.0425188 messageid: <1210794708.63.0.0984724284658.issue2838@psf.upfronthosting.co.za>
2008-05-14 19:51:47	ruben	link	issue2838 messages
2008-05-14 19:51:43	ruben	create