[PYTHON-CRYPTO] Are verify callbacks global in M2Crypto?

Heikki Toivonen hjtoi at COMCAST.NET
Sat Nov 1 08:00:18 CET 2008

Aaron C Spike wrote:
> Using M2Crypto 0.18.2 on Ubuntu Hardy Heron, it seems that the callbacks
> passed to Context.set_verify() are shared between Contexts and therefore
> only a single callback is used. I've created a test case to illustrate

Yes, this is correct. There is an old bug on this issue:

> In the above example cb1.counter remains 0. My goal is to serve requests
> on two sockets with different requirements for the clients which connect
> to each. While this example is seen from the client perspective I
> experience the same behavior on the server. I would appreciate advice on
> how I can correct my code to function as I expect.

The question I have is: do you really need different contexts to have
different verify callback functions?

I would assume most applications need just a single verify callback.
After all, in what situations would you want to change certificate

The post connection check where you'll check the certificate hostname
matches peer's address can be done after certificate validation, so this
does not need a connection specific verification function.

The verification callback can carry connection specific information, and
 people did this with the old style verification callbacks. This is now
deprecated (although it still works). AFAIK it should be possible to do
this with the new style callbacks as well, but I run into some problems
in trying to implement this for Python. Unfortunately I don't remember
the exact issues. I just remember I saw how to do it in C, but couldn't
figure out a good way to implement that for M2Crypto.

  Heikki Toivonen - http://heikkitoivonen.net

More information about the python-crypto mailing list