SSL meta data

Jan Dries jan.dries at dcube-resource.be
Mon Sep 25 21:42:37 CEST 2006


Paul Rubin wrote:
> "BerndWill" <bernd at ewill.de> writes:
>> I would love to read programmatically some information out of the 
>> certificates itself (who signed it and what is the validation period, i.e. 
>> meta data).
>>
>>  Can someone please help me out here !?
> 
> This is very cheesy but I sometimes I've just run the openssl command
> line utility with popen and read the output:
> 
>   openssl x509 -text -noout -in certfile
> 
> will dump out the cert contents and you can parse it with regexps.
> 
> The right way to do it is to make the appropriate m2crypto (or
> whatever) calls that parse the cert directly.

I'm not sure this is what the OP is looking for. Your method assumes the 
certificate is on the local file system, while it seems to me he wants 
to do an HTTPS request to one of their servers and obtain information 
from the certificate installed there.

For doing that, cURL might be a good choice (either the command line 
version (http://curl.haxx.se) or the python extension module PycURL 
http://pycurl.sourceforge.net/)).

For instance:

C:\> curl -v https://www.paypal.com

* About to connect() to www.paypal.com port 443
*   Trying 216.113.188.65... * connected
* Connected to www.paypal.com (216.113.188.65) port 443
* successfully set certificate verify locations:
*   CAfile: C:\home\personal\development\bin\curl-ca-bundle.crt
   CApath: none
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
*        subject: /C=US/ST=California/L=Mountain View/O=Paypal 
Inc./OU=Information Systems/OU=Terms of use at
www.verisign.com/rpa (c)00/CN=www.paypal.com
*        start date: 2006-02-09 00:00:00 GMT
*        expire date: 2008-02-09 23:59:59 GMT
*        common name: www.paypal.com (matched)
*        issuer: /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign 
International Server CA - Class 3/OU=
www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
* SSL certificate verify ok.

[more output deleted]

I'm sure that by using the cURL API directly, you can obtain the 
certificate information in a more direct way without having to rely on 
parsing the above output with regexps. Doing so might also be more 
complex though :-)

Regards,
Jan




More information about the Python-list mailing list