how to verify SSL certificate chain - M2 Crypto library?

skrobul skrobul at
Sun May 17 19:20:54 EDT 2009


is there any simple way to do SSL certificate chain validation using
M2Crypto or any other library ?

Basically what I want to achieve is to be able to say if certificate
chain contained in 'XYZ.pem' file is issued by known CA (list of
common root-CA's certs should be loaded from separate directory).
Right now I do it by spawning command 'openssl verify -CApath
<ca_certs_path> XYZ.pem' and it works. However I think that there must
be a simpler way.

 I've spent last few hours trying to go through M2Crypto sources and
API "documentation" but the only possible way that I've found is
spawning separate server thread listening on some port, and connecting
just to verify if cert chain is valid, but going this way is at least
not right. The other approach which I've tried is using low-level
function m2.X509_verify() but it does not work as I expect. It returns
0 (which means valid) even if CA certificate is not known.

Any suggestions / tips ?

Marek Skrobacki

More information about the Python-list mailing list