classification
Title: Problem with getpeercert in the ssl module when retrieving client side certs
Type: Stage:
Components: Library (Lib) Versions: Python 2.6
process
Status: closed Resolution: not a bug
Dependencies: Superseder:
Assigned To: Nosy List: Westly.Ward, janssen, pitrou
Priority: normal Keywords:

Created on 2010-05-07 20:49 by Westly.Ward, last changed 2010-09-08 23:57 by pitrou. This issue is now closed.

Files
File name Uploaded Description Edit
ssltest.tar.gz Westly.Ward, 2010-05-07 20:49 Example script and associated files
ssltest.tar.gz Westly.Ward, 2010-05-07 21:24
Messages (4)
msg105227 - (view) Author: Westly Ward (Westly.Ward) Date: 2010-05-07 20:49
I originally had this problem when writing my IRCd, but then tested it in a basic script.  The problem is that getpeercert() is always returning None when executed on the server side, even when the client is using an ssl cert.  I have included an example in the attachment.  Just run sslserver.py in one terminal window, and then run sslclient.py in the other.  I also included the two fresh ssl certs and keys I used.  In client.txt and server.txt I put the commands I used to generate the ssl certs and keys.
msg105229 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2010-05-07 21:06
You must use either ssl.CERT_OPTIONAL or ssl.CERT_REQUIRED if you want to retrieve the client certificate. I admit this makes the getpeercert() API a bit strange, and I'm not sure why the original decision was made.

Can you confirm this fixes your issue?
msg105230 - (view) Author: Westly Ward (Westly.Ward) Date: 2010-05-07 21:24
When I use the argument to make certs optional, it gave me an error saying it need the ca certs, so I downloaded them and specified to use them, and now I am getting errors from ssl.c

Here's the error on the server side:

westly@westly-desktop ~/Desktop/ssltest $ python sslserver.py 
Traceback (most recent call last):
  File "sslserver.py", line 8, in <module>
    conn, addr, = a.accept()
  File "/usr/lib/python2.6/ssl.py", line 326, in accept
    suppress_ragged_eofs=self.suppress_ragged_eofs),
  File "/usr/lib/python2.6/ssl.py", line 118, in __init__
    self.do_handshake()
  File "/usr/lib/python2.6/ssl.py", line 293, in do_handshake
    self._sslobj.do_handshake()
SSLError: [Errno 1] _ssl.c:480: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

Here's the error on the client side:

westly@westly-desktop ~/Desktop/ssltest $ python sslclient.py 
Traceback (most recent call last):
  File "sslclient.py", line 4, in <module>
    a.connect(("127.0.0.1", 112233))
  File "/usr/lib/python2.6/ssl.py", line 309, in connect
    self.do_handshake()
  File "/usr/lib/python2.6/ssl.py", line 293, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [Errno 1] _ssl.c:480: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

I got the ca certs from http://www.positivessl.com/ssl-certificate-support/cert_installation/UTN-USERFirst-Hardware.crt which is from a link the the ssl module docs.

I have attached the modified scripts.
msg105236 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2010-05-07 21:49
> When I use the argument to make certs optional, it gave me an error
> saying it need the ca certs, so I downloaded them and specified to use
> them, and now I am getting errors from ssl.c

You have to specify the CA cert corresponding to the Certificate
Authority (CA) who has signed your certificate.
A CA can be a company such as Verisign, etc.

However, in this case, you have self-signed the certificate; so the only
"CA cert" you can specify is the client certificate itself. If you
specify "client.crt" as the ca_certs argument, you'll see that it works.
History
Date User Action Args
2010-09-08 23:57:51pitrousetstatus: open -> closed
2010-05-07 21:49:06pitrousetmessages: + msg105236
2010-05-07 21:24:01Westly.Wardsetfiles: + ssltest.tar.gz
status: pending -> open
messages: + msg105230
2010-05-07 21:06:12pitrousetstatus: open -> pending

nosy: + pitrou, janssen
messages: + msg105229

resolution: not a bug
2010-05-07 20:49:51Westly.Wardcreate