[PYTHON-CRYPTO] Are verify callbacks global in M2Crypto?

Aaron Spike acspike at GMAIL.COM
Sat Nov 1 17:10:40 CET 2008

On Sat, Nov 1, 2008 at 2:00 AM, Heikki Toivonen <hjtoi at comcast.net> wrote:
> Aaron C Spike wrote:
> > Using M2Crypto 0.18.2 on Ubuntu Hardy Heron, it seems that the callbacks
> > passed to Context.set_verify() are shared between Contexts and therefore
> > only a single callback is used. I've created a test case to illustrate
> Yes, this is correct. There is an old bug on this issue:
> https://bugzilla.osafoundation.org/show_bug.cgi?id=3125

Thanks for pointing that out. Sorry I missed it. I think the arguments
presented in the bug report are convincing. Perhaps if this behavior
can't be corrected it could simply be documented more clearly in the
API docs.

> > In the above example cb1.counter remains 0. My goal is to serve requests
> > on two sockets with different requirements for the clients which connect
> > to each. While this example is seen from the client perspective I
> > experience the same behavior on the server. I would appreciate advice on
> > how I can correct my code to function as I expect.
> The question I have is: do you really need different contexts to have
> different verify callback functions?

This whole SSL thing is pretty new to me, so I apologize if I don't
follow all of your logic.

>From my understanding of the API the ratio of verify callbacks to ssl
contexts is 1:1. If that is true, wouldn't I need different contexts
to have different verify callback functions?

> I would assume most applications need just a single verify callback.
> After all, in what situations would you want to change certificate
> verification?

It isn't that I want to change certificate verification during
execution. I want verification to be different for each socket. I
would like to provide two xmlrpc services. Some clients will be
authorized to connect to one service; others will be authorized to
connect to the other service. I planned to do this authorization check
with the verify callback by checking the cert that the clients present
against a predetermined list of acceptable certs for each service.
Perhaps there is a better way to accomplish this goal?

> The post connection check where you'll check the certificate hostname
> matches peer's address can be done after certificate validation, so this
> does not need a connection specific verification function.

Where can I look for an example of this? I suppose I could follow the
same process to check that the presented cert is in the list of
acceptable certs.

> The verification callback can carry connection specific information, and
>  people did this with the old style verification callbacks. This is now
> deprecated (although it still works). AFAIK it should be possible to do
> this with the new style callbacks as well, but I run into some problems
> in trying to implement this for Python. Unfortunately I don't remember
> the exact issues. I just remember I saw how to do it in C, but couldn't
> figure out a good way to implement that for M2Crypto.

I'm not sure I understand how connection specific information can flow
through the new style callbacks.

Do you know how any of the other OpenSSL wrappers for python handle this issue?

Aaron Spike

More information about the python-crypto mailing list