A grump about the socket module's SSL support

January 17, 2007

It is nice that Python's socket module has simple SSL support (although it has some limitations). My grump is that it doesn't give you any good way of checking the identity of the server's certificate, which is especially annoying as the SSL code doesn't do any certificate verification.

(This matters to me because I have recently become quite interested in being able to verify machines by checking that they have a specific SSL certificate.)

What SSL objects have is .issuer() and .server(), which give you the text form of the 'distinguished name' for the certificate authority (if any) and the server certificate. In practice, these are useless for reliably identifying a specific server (in part because there are significant ambiguities in the text versions of distinguished names, see eg this bug report).

What you actually need is information about the server certificate itself. The best thing would be a full copy of the server certificate as a binary object (since then I can just do whatever I want with it, including comparing it to my existing copy), but I'd be reasonably happy with a hash or other signature of the server's certificate. (And OpenSSL already has functions that will give you the certificate; I believe it would take two OpenSSL calls to pull the certificate out as a memory blob, namely SSL_get_peer_certificate followed by an appropriate i2d_X509 invocation.)

But I suppose that I shouldn't be too surprised. Almost nothing seems to offer an option to accept only a specific server certificate; at best you can insist that the certificate you get is signed by a specific CA.

Written on 17 January 2007.
« Why I don't have a GPG key
Why I want direct certificate checking instead of having to rely on CAs »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Wed Jan 17 14:01:28 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.