Newbie question regarding SSL and certificate verification
in [Python]
|
Prev: Newbie question regarding SSL and certificate verification
Next: Performance ordered dictionary vs normal dictionary
From: geremy condra on 28 Jul 2010 21:26 On Wed, Jul 28, 2010 at 4:41 PM, Jeffrey Gaynor <jgaynor(a)ncsa.uiuc.edu> wrote: > Hi, > > I am making a first large project in python and am having quite a bit of difficulty unscrambling various python versions and what they can/cannot do.. To wit, I must communicate with certain services via https and am required to perform certificate verification on them. > > The problem is that I also have to do this under CentOS 5.5 which only uses python 2.4 as its default -- this is not negotiable. As near as I can tell from reading various posts, the https client does not do verification and there is no low-level SSL support to provide a workaround. Near as I can tell from reading, 2.6 does include this. Am I getting this right? Is there a simple way to do this? More to the point, I need to know pretty darn quick if this is impossible so we can try and plan for it. > > So the quick question: Has anyone done certificate verification using 2.4 and if so, how? > > Thanks! M2Crypto is the way to go here. I think there's an example on their site. Geremy Condra
From: John Nagle on 29 Jul 2010 01:08 On 7/28/2010 6:26 PM, geremy condra wrote: > On Wed, Jul 28, 2010 at 4:41 PM, Jeffrey > Gaynor<jgaynor(a)ncsa.uiuc.edu> wrote: >> Hi, >> >> I am making a first large project in python and am having quite a >> bit of difficulty unscrambling various python versions and what >> they can/cannot do. To wit, I must communicate with certain >> services via https and am required to perform certificate >> verification on them. >> >> The problem is that I also have to do this under CentOS 5.5 which >> only uses python 2.4 as its default -- this is not negotiable. As >> near as I can tell from reading various posts, the https client >> does not do verification and there is no low-level SSL support to >> provide a workaround. Near as I can tell from reading, 2.6 does >> include this. Am I getting this right? Is there a simple way to do >> this? More to the point, I need to know pretty darn quick if this >> is impossible so we can try and plan for it. >> >> So the quick question: Has anyone done certificate verification >> using 2.4 and if so, how? >> >> Thanks! > > M2Crypto is the way to go here. I think there's an example on their > site. M2Crypto does that job quite well. Installing M2Crypto tends to be painful if you have to build it, though. See if you can find a pre- built version. You then need a "cacert.pem" file, with the root certificates you're going to trust. You can get one from http://curl.haxx.se/docs/caextract.html which converts Mozilla's format to a .pem file once a week. The actual Mozilla source file is at http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt but M2Crypto needs it in .pem format. The new Python SSL module in 2.6 and later has a huge built-in security hole - it doesn't verify the domain against the certificate. As someone else put it, this means "you get to talk securely with your attacker." As long as the site or proxy has some valid SSL cert, any valid SSL cert copied from anywhere, the new Python SSL module will tell you everything is just fine. John Nagle
From: geremy condra on 29 Jul 2010 01:23 On Wed, Jul 28, 2010 at 10:08 PM, John Nagle <nagle(a)animats.com> wrote: > On 7/28/2010 6:26 PM, geremy condra wrote: >> >> On Wed, Jul 28, 2010 at 4:41 PM, Jeffrey >> Gaynor<jgaynor(a)ncsa.uiuc.edu> wrote: >>> >>> Hi, >>> >>> I am making a first large project in python and am having quite a >>> bit of difficulty unscrambling various python versions and what >>> they can/cannot do. To wit, I must communicate with certain >>> services via https and am required to perform certificate >>> verification on them. >>> >>> The problem is that I also have to do this under CentOS 5.5 which >>> only uses python 2.4 as its default -- this is not negotiable. As >>> near as I can tell from reading various posts, the https client >>> does not do verification and there is no low-level SSL support to >>> provide a workaround. Near as I can tell from reading, 2.6 does >>> include this. Am I getting this right? Is there a simple way to do >>> this? More to the point, I need to know pretty darn quick if this >>> is impossible so we can try and plan for it. >>> >>> So the quick question: Has anyone done certificate verification >>> using 2.4 and if so, how? >>> >>> Thanks! >> >> M2Crypto is the way to go here. I think there's an example on their >> site. > > M2Crypto does that job quite well. Installing M2Crypto tends to be > painful if you have to build it, though. See if you can find a pre- > built version. > > You then need a "cacert.pem" file, with the root certificates you're > going to trust. You can get one from > > http://curl.haxx.se/docs/caextract.html > > which converts Mozilla's format to a .pem file once a week. > The actual Mozilla source file is at > > http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt > > but M2Crypto needs it in .pem format. > > The new Python SSL module in 2.6 and later has a huge built-in > security hole - it doesn't verify the domain against the > certificate. As someone else put it, this means "you get to > talk securely with your attacker." As long as the site or proxy > has some valid SSL cert, any valid SSL cert copied from anywhere, > the new Python SSL module will tell you everything is just fine. > > John Nagle Did anything ever come of the discussion that you and Antoine had? Geremy Condra PS- the quote is due to Justin Samuel
From: Jeffrey Gaynor on 29 Jul 2010 10:07 Thank you! This is what I was looking for. A final question -- how widely is M2Crypto used? Since I will have to now pitch to our group that this is preferable the first questions they will ask are about stability, who is using it and how secure is it really, especially since it is at version 0.20.2 (i.e. no major release yet). Thanks again! Jeff ----- Original Message ----- From: "John Nagle" <nagle(a)animats.com> To: python-list(a)python.org Sent: Thursday, July 29, 2010 12:08:57 AM Subject: Re: Newbie question regarding SSL and certificate verification On 7/28/2010 6:26 PM, geremy condra wrote: > On Wed, Jul 28, 2010 at 4:41 PM, Jeffrey > Gaynor<jgaynor(a)ncsa.uiuc.edu> wrote: >> Hi, >> >> I am making a first large project in python and am having quite a >> bit of difficulty unscrambling various python versions and what >> they can/cannot do. To wit, I must communicate with certain >> services via https and am required to perform certificate >> verification on them. >> >> The problem is that I also have to do this under CentOS 5.5 which >> only uses python 2.4 as its default -- this is not negotiable. As >> near as I can tell from reading various posts, the https client >> does not do verification and there is no low-level SSL support to >> provide a workaround. Near as I can tell from reading, 2.6 does >> include this. Am I getting this right? Is there a simple way to do >> this? More to the point, I need to know pretty darn quick if this >> is impossible so we can try and plan for it. >> >> So the quick question: Has anyone done certificate verification >> using 2.4 and if so, how? >> >> Thanks! > > M2Crypto is the way to go here. I think there's an example on their > site. M2Crypto does that job quite well. Installing M2Crypto tends to be painful if you have to build it, though. See if you can find a pre- built version. You then need a "cacert.pem" file, with the root certificates you're going to trust. You can get one from http://curl.haxx.se/docs/caextract.html which converts Mozilla's format to a .pem file once a week. The actual Mozilla source file is at http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt but M2Crypto needs it in .pem format. The new Python SSL module in 2.6 and later has a huge built-in security hole - it doesn't verify the domain against the certificate. As someone else put it, this means "you get to talk securely with your attacker." As long as the site or proxy has some valid SSL cert, any valid SSL cert copied from anywhere, the new Python SSL module will tell you everything is just fine. John Nagle -- http://mail.python.org/mailman/listinfo/python-list
From: David Robinow on 29 Jul 2010 10:54
On Thu, Jul 29, 2010 at 10:07 AM, Jeffrey Gaynor <jgaynor(a)ncsa.uiuc.edu> wrote: > ... > A final question -- how widely is M2Crypto used? Since I will have to now pitch to our group that this is preferable the first questions they will ask are about stability, who is using it and how secure is it really, especially since it is at version 0.20.2 (i.e. no major release yet). I know very little about security, but one thing I think I know. Never use security software version 1.0 or greater. It was written by an author insufficiently paranoid. |