More M2Crypto issues. Not big ones, though.

John Nagle nagle at
Sat Jan 13 06:38:44 CET 2007

Heikki Toivonen wrote:
> John Nagle wrote:
>>  A list of small problems and bugs in the current M2Crypto:
>>I need to look at SSL certificates in some detail, so this
>>is all about the access functions for certificates.
> Thanks, got the reports, will check them out.
>>    3. /M2Crypto/SSL/
>>    DeprecationWarning: Old style callback, use cb_func(ok, store)
>>    instead return m2.ssl_connect(self.ssl)
>>    (Also reported, in Polish, here:
>>    Entered into Bugzilla as #7718.
> This is actually intended. Once I figure out how to implement all the
> functionality in the new way I'd like to remove the old way.


>>    4. "close()" on an SSL socket that's just finished certificate
>>    negotiation hangs, at least on Windows.  
> No known issues, but the ending of an SSL connection is a little grey
> area to me so I wouldn't be surprised if there are some cases where we
> shut down prematurely or too late. But I don't know why we'd hang.

    I'll check that again.
>>    1. X509.X509_name.__getattr__:
>>    Field retrieval from X.509 name items with x509_name_by_nid
>>    retrieves only first instance of field, not all instances.
> Yes, I've been battling with this myself as well. OpenSSL provides
> objects to get things as a list, but they are so weird I haven't yet
> figured out a way to wrap them in Python so that you would actually be
> able to get some values out.

      I convert X509_name items to a list of tuples.  Here's an example:

	Server: [
		('CN', ''),
		('OU', 'Travel Services'),
		('O', 'Niche Travel Ltd.'),
		('L', 'Nicosia'),
		('ST', 'Nicosia'),
		('C', 'CY')]

That's straightforward.

But to do this I have to convert the X509_name item to a string, like this:

     subjectstr = subject.as_text(flags=(m2.XN_FLAG_RFC2253 | 

which yields a string of items like "L=Nicosia, OU=Travel Services", with
backslash escapes where necessary.  (The default formatting does not
have proper escaping; it's just for debug use.)  So I parse that,
obeying the escapes, and get out the tuples.  This works OK, but
shouldn't be necessary.  It's not something I need now, though.

Most things in X509 certificates map well to lists of tuples.

>>    2. Unclear if M2Crypto's X.509 interface is UTF-8 compatible.
>>    OpenSSL will return info in UTF-8 if you use the
>>    ASN1_STRFLGS_UTF8_CONVERT flag on as_text, but unclear if the
>>    M2 glue code handles this correctly.  Haven't found a UTF8 cert
>>    to test it on yet.
> Yeah, I am not convinced everything works as it should. Any UTF8 (and
> other encoding) samples would be welcome.

      Looking for one.  I think all that's needed is to recognize when
ASN1_STRFLGS_UTF8_CONVERT is set when converting to a Python string,
and convert to the appropriate form of Python string.

      Just rediscovered bug #5277, "Support certificates with multiple DNS 
names", which is fixed in 0.18.  Looking forward to version 0.18.
If you want to test that, try to open "".

					John Nagle

More information about the Python-list mailing list