[pyOpenSSL] How can I verify client that the client is signed by me?

Sebastian Greatful sebastianthegreatful at gmail.com
Wed Sep 17 22:18:22 CEST 2008 


>-----Oprindelig meddelelse-----
>Fra: pyopenssl-list-bounces at lists.sourceforge.net
[mailto:pyopenssl-list-bounces at lists.sourceforge.net] På >vegne af Jean-Paul
Calderone
>Sendt: 17. september 2008 21:54
>Til: pyopenssl-list at lists.sourceforge.net
>Emne: Re: [pyOpenSSL] How can I verify client that the client is signed by
me?

>On Wed, 17 Sep 2008 21:44:51 +0200, Sebastian Greatful
<sebastianthegreatful at gmail.com> wrote:
>>I now execute load_verify_locations on the Context object, instead... doh!
>>
>>However I'm still very unsure about how to handle the retcode... all hints
>>appreciated :)

>If it's false, return false from your verify callback.  If it's true,
either
>return true, or do whatever extra checks you want and return the result of
>them.

So basically I should just return it? Since I at the moment don’t want to
verify on other parameters...

I the code is as below and I have used the following guide
http://www.impetus.us/~rjmooney/projects/misc/clientcertauth.html to
generate the cert's. However the retcode remains false. Even though the
client's certificate really should be signed with the file referred to by
caFile.

Any ideas on where I go wrong?


50 class SSLTCPServer(TCPServer):
 51         keyFile = "sslcert/server.key"
 52         certFile = "sslcert/server.crt"
 53         caFile = "sslcert/ca.crt"
 54         def __init__(self, server_address, RequestHandlerClass):
 55                 ctx = SSL.Context(SSL.SSLv23_METHOD)
 56                 ctx.use_privatekey_file(self.keyFile)
 57                 ctx.use_certificate_file(self.certFile)
 58                 ctx.load_verify_locations(self.caFile)
 59                 ctx.set_verify(SSL.VERIFY_PEER |
SSL.VERIFY_FAIL_IF_NO_PEER_CERT | SSL.VERIFY_CLIENT_ONCE, self._verify)
 60                 ctx.set_verify_depth(10)
 61                 ctx.set_session_id('DFS')
 62
 63                 self.server_address = server_address
 64                 self.RequestHandlerClass = RequestHandlerClass
 65                 self.socket = socket.socket(self.address_family,
self.socket_type)
 66                 self.socket = SSL.Connection(ctx, self.socket)
 67                 self.socket.bind(self.server_address)
 68                 self.socket.listen(self.request_queue_size)
 69
 70         def _verify(self, conn, cert, errno, depth, retcode):
 71                 return retcode

More information about the pyopenssl-users mailing list