On Mon, Nov 10, 2014 at 8:30 AM, Viktor Dukhovni <[email protected]> wrote:
> On Mon, Nov 10, 2014 at 08:02:38AM -1000, Shumon Huque wrote: > > > There's a slightly newer version of that script in the develop branch: > > > > > https://github.com/getdnsapi/getdns-python-bindings/blob/develop/examples/checkdanecert.py > > > > Note that this script currently only does usage type 3, and it works for > > services that do SSL first (rather than negotiate STARTTLS). The Python > > M2Crypto SSL interface has some significant limitations. For example, it > > doesn't expose the function to set the TLS SNI extension, so on some > > multihomed servers, the server won't be able to figure out the correct > > certificate to present leading to the script failing the check. > > The "swede" code on github, for all its faults, seems to suggest that > M2Crypto does in fact support SNI. > > > from M2Crypto import X509, SSL > ... > connection = SSL.Connection(ctx, sock=sock) > # Try to use SNI for virtual hosts if available > try: > # We don't want the trailing dot here > connection.set_tlsext_host_name(args.host[:-1]) > > Perhaps you need a sufficiently new version of the module. > The latest official release of M2Crypto doesn't support it (there is a long standing unaddressed bug report filed on the topic). Some OS distributions however (such as Fedora) have local patches that add it. My code currently does this (use it if available): # set TLS SNI extension if available in M2Crypto on this platform # Note: the official M2Crypto release does not yet (as of late 2014) # have support for SNI, sigh, but patches exist. try: connection.set_tlsext_host_name(hostname) except AttributeError: pass The Fedora patch also does it incompletely. It allows you to call the function and set the SNI extension but then doesn't use it properly in hostname matching checks (e.g. if you explicitly connect to an IP address it will complain). > > > We have a more complete Python example that additionally does the PKIX-* > > mode checks (0 and 1), and we had slides on that example in our recent > > RIPE69 getdns tutorial (which we ran out of time to present during the > > session itself). I'll work on getting that example posted on the github > > site soon. > > The ssl_dane library is easy to embed into Python (perhaps easier > than into Perl). That may be a good approach, and would support > all the parameter values and other fine details. It uses OpenSSL > for the underlying non-DANE-specific bits. > Thanks for the pointer. I'll take a look at ssl_dane. --Shumon.
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
