Message 66834 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	janssen
Recipients	janssen, ruben
Date	2008-05-14.21:57:34
SpamBayes Score	6.232183e-05
Marked as misclassified	No
Message-id	<4b3e516a0805141457o78ed58dare1ff5356a7eca728@mail.gmail.com>
In-reply-to	<1210794708.63.0.0984724284658.issue2838@psf.upfronthosting.co.za>

Content
Yep, it looks like you're on the right track. I'll close this bug. Bill On Wed, May 14, 2008 at 12:51 PM, Ruben Kerkhof <report@bugs.python.org> wrote: > > Ruben Kerkhof <ruben@rubenkerkhof.com> added the comment: > > Hi Bill, > > When I include the server certificate in ca_certs, verification > succeeds, and I can view the peer certificate dict with getpeercert(False) > > When I set ca_certs to none and ssl.CERT_NONE, I can still call > getpeercert(True) and call DER_cert_to_PEM_cert to get the same PEM > certificate. > > SSL is all new to me, so forgive me if I talk nonsense, but what I'm > trying to do is the following: > > I receive a key from Bob which is a digest of his servers certificate. > To make sure I'm really talking to Bob I need to decrypt his servers > signature with his public key and check the resulting digest against my > key. So I have to ignore failures like > X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT and > X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, but detect things like > X509_V_ERR_CERT_SIGNATURE_FAILURE. > > The idea is based on what foolscap is doing with FURLS > (http://foolscap.lothar.com/trac) > > Am I making sense? > > __________________________________ > Tracker <report@bugs.python.org> > <http://bugs.python.org/issue2838> > __________________________________ >

Yep, it looks like you're on the right track.  I'll close this bug.

Bill

On Wed, May 14, 2008 at 12:51 PM, Ruben Kerkhof <report@bugs.python.org>
wrote:

>
> Ruben Kerkhof <ruben@rubenkerkhof.com> added the comment:
>
> Hi Bill,
>
> When I include the server certificate in ca_certs, verification
> succeeds, and I can view the peer certificate dict with getpeercert(False)
>
> When I set ca_certs to none and ssl.CERT_NONE, I can still call
> getpeercert(True) and call DER_cert_to_PEM_cert to get the same PEM
> certificate.
>
> SSL is all new to me, so forgive me if I talk nonsense, but what I'm
> trying to do is the following:
>
> I receive a key from Bob which is a digest of his servers certificate.
> To make sure I'm really talking to Bob I need to decrypt his servers
> signature with his public key and check the resulting digest against my
> key. So I have to ignore failures like
> X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT and
> X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, but detect things like
> X509_V_ERR_CERT_SIGNATURE_FAILURE.
>
> The idea is based on what foolscap is doing with FURLS
> (http://foolscap.lothar.com/trac)
>
> Am I making sense?
>
> __________________________________
> Tracker <report@bugs.python.org>
> <http://bugs.python.org/issue2838>
> __________________________________
>

Files
File name	Uploaded
unnamed	janssen, 2008-05-14.21:57:32

History
Date	User	Action	Args
2008-05-14 21:57:36	janssen	set	spambayes_score: 6.23218e-05 -> 6.232183e-05 recipients: + janssen, ruben
2008-05-14 21:57:34	janssen	link	issue2838 messages
2008-05-14 21:57:34	janssen	create