pyOpenSSL

  1. Bug #314814
  2. Comment #0

Comment 0 for bug 314814

Revision history for this message
Markus Kettunen (makegho-blobtrox) wrote :

The server is using a self signed certificate and the client does not trust it (loading certificate commented out).
Thus the handshake will fail as it should.

But in addition, if VerifyCallback prints x509.get_issuer().get_components, or if the function is called,
it causes another exception ('asn1 encoding routines', 'a2d_ASN1_OBJECT', 'first num too large'). This doesn't
happen if the handshake succeeds.

You can use for example x509.get_issuer().commonName but not .get_components.

I'm using
Python 2.6.1 (r261:67515, Jan 7 2009, 15:48:16)
[GCC 4.2.4 (Ubuntu 4.2.4-1ubuntu3)] on linux2
<module 'OpenSSL.version' from '/usr/local/lib/python2.6/site-packages/pyOpenSSL-0.8-py2.6-linux-i686.egg/OpenSSL/version.pyc'>

and after creating the self signed server sertificate at cert/server.pem (and possibly copying to cert/ca.pem)
I call python server.py in one terminal and python client.py in another.

#minssl.py
#---------

import socket
import OpenSSL

min_sslcontext = None

CIPHERS = "HIGH:!ADH:!EXP:!MD5:@STRENGTH"

def InitServer(servercertchain, serverprivkey):
 global min_sslcontext

 method = OpenSSL.SSL.TLSv1_METHOD
 min_sslcontext = OpenSSL.SSL.Context(method)

 min_sslcontext.use_certificate_chain_file(servercertchain)

 min_sslcontext.use_privatekey_file(serverprivkey)
 min_sslcontext.set_verify_depth(3)
 min_sslcontext.set_verify(OpenSSL.SSL.VERIFY_NONE, VerifyCallback) # No client authentication
 min_sslcontext.set_cipher_list(CIPHERS)

 OpenSSL.rand.load_file("/dev/urandom", 255)

def InitClient(rootcert=[]):
 global min_sslcontext

 method = OpenSSL.SSL.TLSv1_METHOD
 min_sslcontext = OpenSSL.SSL.Context(method)

 for rc in rootcert:
  min_sslcontext.load_verify_locations(rc)

 min_sslcontext.set_verify_depth(3)
 min_sslcontext.set_verify(OpenSSL.SSL.VERIFY_PEER, VerifyCallback)

 min_sslcontext.set_cipher_list(CIPHERS)

 OpenSSL.rand.load_file("/dev/urandom", 255)

class ClientSocket():
 def __init__(self, host, port):
  self.host = host

  self.sock = socket.socket( socket.AF_INET, socket.SOCK_STREAM )
  self.sock.connect( (host, port) )

  self.sslconn = OpenSSL.SSL.Connection( min_sslcontext, self.sock )
  self.sslconn.set_connect_state()

  self.sslconn.do_handshake() # <---

class ServerSocket():
 def __init__(self, port):
  self.sock = None
  self.sslconn = None

  self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  self.sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)

  self.sock.bind( ("localhost", port) )

  self.sock.listen(True)

  self.sslconn = OpenSSL.SSL.Connection( min_sslcontext, self.sock )
  self.sslconn.set_accept_state()

 def accept(self):
  clientsock, clientaddr = self.sslconn.accept()
  clientconn = OpenSSL.SSL.Connection(min_sslcontext, clientsock)

  clientconn.set_accept_state()
  clientconn.do_handshake()

  return clientsock, clientaddr

def VerifyCallback(sslconn, x509, errnum, errdepth, retcode):
 print x509.get_issuer().get_components
 return retcode

# client.py
-----------

import minssl

minssl.InitClient([]) # "cert/ca.pem"])
sock = minssl.ClientSocket("localhost", 1234)

# server.py
-----------

import minssl

minssl.InitServer("cert/server.pem", "cert/server.pem")

sock = minssl.ServerSocket(1234)
insock, inaddr = sock.accept()