Wierd M2Crypto bug - phony "peer did not return certificate" error

John Nagle nagle at animats.com
Fri Jan 12 06:54:42 CET 2007


Heikki Toivonen wrote:
> nagle at animats.com wrote:
> 
>>  That's a problem for me.  I need short timeouts; I'm accessing sites
>>that might or might not have SSL support, and I need to quickly time
>>out when there's no SSL server.
> 
> 
> You should be able to do short timeouts, just not using the global
> setdefaulttimeout. Have you tried Connection.set_socket_read/write_timeout?

     Yes.  That does not affect the connect timeout; it's only effective once
the connection has been opened.  And adjusting the session timeout
just recreates the blocking/non blocking problem.

     Incidentally, "get_socket_read_timeout()" doesn't work.  Generates
"EXCEPTION at socket level: unpack str size does not match format",
every time, at least with Python 2.4 on Windows.  The lower level
function returns one number as a string, like "7200", and the unpack
function tries to unpack it as "ll", which fails.

> Also like I mentioned before, if you use the Twisted wrapper and let
> Twisted handle network stuff you should be fine.

     That would mean struggling with Twisted and dealing with its bugs.
(For example, has the MySQLdb mess been resolved for Twisted's API?)
This isn't a long-running application; it usually runs as a CGI program.
So Twisted is inappropriate.

> M2Crypto and pyOpenSSL (and pyOpenSSL-extended, which you might want to
> take a look at as well) are implemented pretty differently, so merging
> seems unlikely. They are pretty small code wise, though, so it is not an
> impossible task.

     That seened good idea, and so I downloaded the source and tried to build
it on a Windows machine to run with Python 2.4.  But that build needs
(exactly) Visual Studio 7.1, which I don't have.  It also wants a specific
version of OpenSSL, and has a build file which seems to assume a 1998 version
of Visual C++.  The last change was in 1995, and it's still at an 0.x version,
so it's effectively abandonware.  I have some doubts that it really works
any more. I saw some Python 2.2/2.3 specific code in there.

     I could try building on a Linux system, but it's useful to me if Python
works on both Windows and Linux.
> 
> Personally I think I'd prefer if Python stdlib contained a better SSL
> module that did at least all the checks required for safe SSL
> connection. (Yeah, yeah, maybe I need to write it myself if nobody else
> gets to it;)

     What I need is proper SSL operation, certificate chain validation,
useful exception info when a connection fails (including why), and
read acess to the certificate itself in some reasonably sane form.
And I need to time out an SSL connection if it can't connect and
verify within 4 seconds.  It's embarassing that this doesn't work,
despite four different wrappers for OpenSSL.

     I'm willing to spend a few hundred dollars towards making this happen.

				John Nagle



More information about the Python-list mailing list