Hi Tim, thanks for responding--no worries on the delay. There was a mistake on my original post, mycert should be pared with the private key, not the cert with the cert. [that's what I get with edited the post to try and clarify it]. You can test the posted cert/key pair where the private key has a zeroed out line, and see that it still runs fine.
Not sure if this helps, but it looks like someone has somewhat recently written python code to do verification of keys: http://stuvel.eu/rsa On Mon, Nov 22, 2010 at 8:02 PM, Timbo <[email protected]> wrote: > Dave, > > Sorry it's taken me so long to get back to you on this. I've taken a > quick look at this and need a little more information. > > First of all, you're using one file as your key and your cert file. > But the file you've supplied only contains a cert. Naturally it can't > used as a key unless it contains a key. > > http://docs.python.org/dev/library/ssl.html#combined-key-and-certificate > > At this point, I'm only addressing the potential issues with Rocket. > So I'm not going to address the admin-disablement thing. > > Currently neither Rocket nor web2py verifies that the key and cert > file you supply actually match each other; Rocket just trusts that you > know what you're doing. Hence why zeroing out a line does not prevent > it from serving what you give it. > > I don't see an easy way in Python to match the two right now. I've > only done a cursory look, but if you know a better way...I'm all ears. > > Cheers, > tim > > > On Nov 9, 11:45 pm, Dave Johnson <[email protected]> wrote: > > If you start up web2py with key/cert for SSL, web2py runs in SSL mode. > > > > In the startup message it says you can connect via http, but if you > attempt > > to connect via plain http, you will get a > > > > "Bad Request" > > > > in your browser. > > > > [d...@thinkbox web2py]$ python web2py.py -c mycert.pem -k mycert.pem -i > > 192.168.1.119 -a hi > > web2py Enterprise Web Framework > > Created by Massimo Di Pierro, Copyright 2007-2010 > > Version 1.88.2 (2010-10-29 23:04:43) > > Database drivers available: SQLite3 > > Starting hardcron... > > please visit: > > http://192.168.1.119:8000 > > use "kill -SIGTERM 30522" to shutdown the web2py server > > ============= > > > > Here are some thoughts: > > > > * If not running SSL and you specified a non-loopback interface for > web2py > > to run on, the command line "should" warn about possible disablement of > > admin site? > > > > * Check that if you specify a cert on command line, you need to specify a > > key (and vice-versa?) > > -- The command line silently "fails" (although there is checking in > > main.py:) > > if not ssl_certificate or not ssl_private_key: > > logger.info('SSL is off') > > > > * Do a check that private key and cert match. > > > > And now for the more interesting item, for some reason SSL connection > still > > works with the following cert private key (note:I zeroed out a line in my > > private key!) > > Am I missing something here...? > > > > [d...@thinkbox web2py]$ cat mycert.pem > > -----BEGIN CERTIFICATE----- > > MIIDVzCCAj+gAwIBAgIJAKXRQfLWAi/BMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNV > > BAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQg > > Q29tcGFueSBMdGQwHhcNMTAxMDE2MjEyNTA1WhcNMTExMDE2MjEyNTA1WjBCMQsw > > CQYDVQQGEwJYWDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZh > > dWx0IENvbXBhbnkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA > > 5TBJypoZfgg630Sx7olCd0PDNhx6dghffVecgW+1BkD7uAGbCaSXg7AgiwTNZJmw > > VO6oiivRgaZi39XG7gy//2uxXcu7d116GkYTRxUSx845O8cCeQm0Kj/ucQ6IfheR > > RTtVAUThBTKNEAtM6Mx6wGk3uHVktvh/MqTKhIvbuJmwj8BLB7w+d99tD4981Fhc > > mvAYIGnf/0jOwG79LiG6DNIuQyPXnVUtf5S6pU2XaJwmUMy2kkhgowvIM33pNKLi > > T0D7LjbvxlrcvfgwoH6GfCT38UX1oGyWJT45cFRiTSXBgxAHajlyM6r5YhTnFCmZ > > hVjjGpXtQcQk9obCX6wI0wIDAQABo1AwTjAdBgNVHQ4EFgQULPMBvZYIXHsebZ+W > > PpSjvxH2gjswHwYDVR0jBBgwFoAULPMBvZYIXHsebZ+WPpSjvxH2gjswDAYDVR0T > > BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEARDXQp8o7aeoiYIsYbqHxpjRyDwDc > > D0klMH86ToLY13ZSRJzk3WzXIqKnPAeae1IyZ66SH9PQU/u8vQLvvReapF1kiOnD > > n6+knUad22olxLVXZ9thyB6NZco9Mh8q3jz27GtSXEQNaVwVQJ2IwsC5XUz1yKgz > > ZJbeW8AdqP9PlacgowYPFMiWvOD1VzRKW5NY5TUKV3cE4JJCiWH0rx7t5GV8vuXM > > xffdZpfUODI0YOxIGVJNwKf8SpMiahyvb4otFnzT3lBqPuyT2EEcqAt2MRsGI2R3 > > l/lUlt4IDxsN31BEKAySfUeDPqOKo0MyA2yZ0z85Lgsm5nVJm4NBt2B7tw== > > -----END CERTIFICATE----- > > > > [d...@thinkbox web2py]$ cat mybad.pem > > -----BEGIN RSA PRIVATE KEY----- > > MIIEowIBAAKCAQEA5TBJypoZfgg630Sx7olCd0PDNhx6dghffVecgW+1BkD7uAGb > > CaSXg7AgiwTNZJmwVO6oiivRgaZi39XG7gy//2uxXcu7d116GkYTRxUSx845O8cC > > eQm0Kj/ucQ6IfheRRTtVAUThBTKNEAtM6Mx6wGk3uHVktvh/MqTKhIvbuJmwj8BL > > B7w+d99tD4981FhcmvAYIGnf/0jOwG79LiG6DNIuQyPXnVUtf5S6pU2XaJwmUMy2 > > kkhgowvIM33pNKLiT0D7LjbvxlrcvfgwoH6GfCT38UX1oGyWJT45cFRiTSXBgxAH > > ajlyM6r5YhTnFCmZhVjjGpXtQcQk9obCX6wI0wIDAQABAoIBAASpX8bcLYqPtkrW > > Rdw5NH3ihfTyzVbbQr306z0Cvabb6YLLnZCrpV1LVs4dEeRq79g6Znkw/PjrHnW5 > > DmvHHJygXyIuQ6jg4Nvp8vhuKEyiGC3sFVPK67w0QrBQAFy4M/85frgg44bMiWv7 > > HtxZVGHXggehc6P5F/U6vtfFVHnDtKX93g+NPOYpXQTcO30QftSvYqjgx/2wMhOk > > ItIPOOrKWEwr6Ogjum+g/2u06JgD/vPBpR5Nurs0LUL6H1K50DDOPjlKAQ1LtIJe > > qRw6PB4qMJWP9qTgkiDq98jKJ0zzDDvWjGhz5DqepK8+dyZqF6/1PPJxdE5l6K3I > > AqeVQdkCgYEA9LboYrJpdBScz26I5Q5nL5+iwSvYNIlRLDocjfzrkeXicfTiCzim > > TCHWgVzRL0E78TASELIvioeJ7unpk7a7KiacO2Cat/CwhfUE/aKkiSJbvw/BrmRU > > PY8N65fVRc2UQK51FlulCjNG4TgbMJIQxmVS3zXPhdmr7GAWbyUWNhUCgYEA78IV > > KSo/TqHRRdHzIQfRUNwmGH049/9wGBbkr67NfsNnv6nS+L81NBH+Ko1eMpZELLmt > > OofIvuHpFMryMBJVAr8gOv7sPJQIGIwJxMcNMz1NyJSXoq4hXwXAA2Crpi1ODyj0 > > xdiOg47qRwuaYaVjILPqL73ne/vuJdOR2YxqJUcCgYEAxTjMXQ7Q8l7SalL5PTG4 > > c6dCclC1tNGee/hxnvVhnXoaYCEuNED5tY3n5OY7KMx4VM+bH52btxe5ULVwLD4u > > 5a+sZiZbSzdN7Qgld4ym8magboFyZOwzAFHUtDTwC4u9mcuATf6aKnhc/ZJMR37Q > > yjRK793cXFGrv5tJOVY4amkCgYB61FyQ7VLnjuEuuuOrDV0/5rkhnK2d5+BehwP7 > > uTsP8T3qpC8wPo0cMweadzhGBFPC8hD8Rmoi2IvXmi0/UXT55j612rneQxxurvem > > *0000000000000000000000000000000000000000000000000000000000000000* > > NZN/qwKBgAYFIvQswsUflJdpwgpDIcKtwhRJdXqU01v+NuJPDvv1n8/nWkpPNsq3 > > x7rWUsW+hflwxAh9W+l1fnPvo2m66Ega83H4CpJ/a8l306fpBqh/jB07cLfcl2T1 > > TfeiVQycQCVPlevvocnm5j2XCgT3Y0GHe6J5WiqyYCjrq6a/f55g > > -----END RSA PRIVATE KEY----- >
