Re: Secure ssl connection with wrap_socket
On Jul 5, 4:08 pm, Jean-Paul Calderone calderone.jeanp...@gmail.com wrote: On Jul 5, 4:52 am, Andrea Di Mario anddima...@gmail.com wrote: Hi, I'm a new python user and I'm writing a small web service with ssl. I want use a self-signed certificate like in wiki:http://docs.python.org/dev/library/ssl.html#certificates I've used wrap_socket, but if i try to use cert_reqs=ssl.CERT_REQUIRED, it doesn't work with error: urllib2.URLError: urlopen error _ssl.c:326: No root certificates specified for verification of other-side certificates. It works only with CERT_NONE (the default) but with this option i could access to the service in insicure mode. Have you some suggestions for my service? Also specify some root certificates to use in verifying the peer's certificate. Certificate verification works by proceeding from a collection of root certificates which are explicitly trusted. These are used to sign other certificates (which may in turn be used to sign others, which in turn...). The process of certificate verification is the process of following the signatures from the certificate in use by the server you connect to back up the chain until you reach a root which you have either decided to trust or not. If the signatures are all valid and the root is one you trust, then you have established a connection to a trusted entity. If any signature is invalid, or the root is not one you trust, then you have not. The root certificates are also called the ca certificates or certificate authority certificates. `wrap_socket` accepts a `ca_certs` argument. Seehttp://docs.python.org/library/ssl.html#ssl-certificates for details about that argument. Jean-Paul Hi Jean-Paul, i thought that with self-signed certificate i shouldn't use ca_certs option. Now, i've created a ca-authority and i use this command: self.sock = ssl.wrap_socket(sock, certfile = ca/certs/ myfriend.cert.pem, keyfile = ca/private/myfriend.key.pem, ca_certs=/home/andrea/ca/certs/cacert.pem, cert_reqs=ssl.CERT_REQUIRED) When i use the some machine as client-server it works, but, when i use another machine as client, i've this: Traceback (most recent call last): File loginsender.py, line 48, in module handle = url_opener.open('https://debian.andrea.it:10700/%s+%s' % (DATA,IPIN)) File /usr/lib/python2.6/urllib2.py, line 391, in open response = self._open(req, data) File /usr/lib/python2.6/urllib2.py, line 409, in _open '_open', req) File /usr/lib/python2.6/urllib2.py, line 369, in _call_chain result = func(*args) File loginsender.py, line 33, in https_open return self.do_open(self.specialized_conn_class, req) File /usr/lib/python2.6/urllib2.py, line 1145, in do_open raise URLError(err) urllib2.URLError: urlopen error [Errno 185090050] _ssl.c:328: error: 0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib I see that i should create a certificate with server, client and ca autority, but i haven't clear the ca_certs option and which path i should use. Have you any suggestion? Thank. Regards. -- http://mail.python.org/mailman/listinfo/python-list
Re: Secure ssl connection with wrap_socket
On Jul 6, 4:44 am, AndDM anddima...@gmail.com wrote: On Jul 5, 4:08 pm, Jean-Paul Calderone calderone.jeanp...@gmail.com wrote: On Jul 5, 4:52 am, Andrea Di Mario anddima...@gmail.com wrote: Hi, I'm a new python user and I'm writing a small web service with ssl. I want use a self-signed certificate like in wiki:http://docs.python.org/dev/library/ssl.html#certificates I've used wrap_socket, but if i try to use cert_reqs=ssl.CERT_REQUIRED, it doesn't work with error: urllib2.URLError: urlopen error _ssl.c:326: No root certificates specified for verification of other-side certificates. It works only with CERT_NONE (the default) but with this option i could access to the service in insicure mode. Have you some suggestions for my service? Also specify some root certificates to use in verifying the peer's certificate. Certificate verification works by proceeding from a collection of root certificates which are explicitly trusted. These are used to sign other certificates (which may in turn be used to sign others, which in turn...). The process of certificate verification is the process of following the signatures from the certificate in use by the server you connect to back up the chain until you reach a root which you have either decided to trust or not. If the signatures are all valid and the root is one you trust, then you have established a connection to a trusted entity. If any signature is invalid, or the root is not one you trust, then you have not. The root certificates are also called the ca certificates or certificate authority certificates. `wrap_socket` accepts a `ca_certs` argument. Seehttp://docs.python.org/library/ssl.html#ssl-certificates for details about that argument. Jean-Paul Hi Jean-Paul, i thought that with self-signed certificate i shouldn't use ca_certs option. Now, i've created a ca-authority and i use this command: self.sock = ssl.wrap_socket(sock, certfile = ca/certs/ myfriend.cert.pem, keyfile = ca/private/myfriend.key.pem, ca_certs=/home/andrea/ca/certs/cacert.pem, cert_reqs=ssl.CERT_REQUIRED) When i use the some machine as client-server it works, but, when i use another machine as client, i've this: Traceback (most recent call last): File loginsender.py, line 48, in module handle = url_opener.open('https://debian.andrea.it:10700/%s+%s'% (DATA,IPIN)) File /usr/lib/python2.6/urllib2.py, line 391, in open response = self._open(req, data) File /usr/lib/python2.6/urllib2.py, line 409, in _open '_open', req) File /usr/lib/python2.6/urllib2.py, line 369, in _call_chain result = func(*args) File loginsender.py, line 33, in https_open return self.do_open(self.specialized_conn_class, req) File /usr/lib/python2.6/urllib2.py, line 1145, in do_open raise URLError(err) urllib2.URLError: urlopen error [Errno 185090050] _ssl.c:328: error: 0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib I see that i should create a certificate with server, client and ca autority, but i haven't clear the ca_certs option and which path i should use. Have you any suggestion? You need to have the CA certificate on any machine that is going to verify the certificate used on the SSL connection. The path just needs to be the path to that CA certificate on the client machine. Jean-Paul -- http://mail.python.org/mailman/listinfo/python-list
Re: Secure ssl connection with wrap_socket
On Jul 5, 4:52 am, Andrea Di Mario anddima...@gmail.com wrote: Hi, I'm a new python user and I'm writing a small web service with ssl. I want use a self-signed certificate like in wiki:http://docs.python.org/dev/library/ssl.html#certificates I've used wrap_socket, but if i try to use cert_reqs=ssl.CERT_REQUIRED, it doesn't work with error: urllib2.URLError: urlopen error _ssl.c:326: No root certificates specified for verification of other-side certificates. It works only with CERT_NONE (the default) but with this option i could access to the service in insicure mode. Have you some suggestions for my service? Also specify some root certificates to use in verifying the peer's certificate. Certificate verification works by proceeding from a collection of root certificates which are explicitly trusted. These are used to sign other certificates (which may in turn be used to sign others, which in turn...). The process of certificate verification is the process of following the signatures from the certificate in use by the server you connect to back up the chain until you reach a root which you have either decided to trust or not. If the signatures are all valid and the root is one you trust, then you have established a connection to a trusted entity. If any signature is invalid, or the root is not one you trust, then you have not. The root certificates are also called the ca certificates or certificate authority certificates. `wrap_socket` accepts a `ca_certs` argument. See http://docs.python.org/library/ssl.html#ssl-certificates for details about that argument. Jean-Paul -- http://mail.python.org/mailman/listinfo/python-list