Certificate validation with HTTPSConnection

Velko Ivanov vivanov at ivanov-nest.com
Wed Sep 29 11:53:02 CEST 2010


I've always wandered why HTTPSConnection does not validate

It is fairly simple to use the SSL socket's validation:

> class HTTPSConnection(HTTPConnection):
> """This class allows
communication via SSL.
> It is a copy of the http.client.HTTPSConnection
with added certificate validation
> """
> default_port = HTTPS_PORT

> def __init__(self, host, port=None, key_file=None, cert_file=None,
> cert_reqs=ssl.CERT_NONE, strict=None,
> HTTPConnection.__init__(self,
host, port, strict, timeout)
> self.key_file = key_file
> self.cert_file
= cert_file
> self.cert_reqs = cert_reqs
> self.ca_file = ca_file
def connect(self):
> "Connect to a host on a given (SSL) port."
sock = socket.create_connection((self.host, self.port), self.timeout)

> if self._tunnel_host:
> self.sock = sock
> self._tunnel()
self.sock = ssl.wrap_socket(sock, keyfile=self.key_file,
certfile=self.cert_file, cert_reqs=self.cert_reqs,

> conn = HTTPSConnection(host,
cert_file=certfile, cert_reqs=ssl.CERT_REQUIRED, ca_file=cafile) 

it doesn't matter how well is the validation covered in the ssl lib, or
the filenames vs. files issues of ssl.wrap_socket() - HTTPSConnection
should only provide the means to use what is available in SSL and
include a link in docs to explanations of how SSL does what it does, so
that people can make their decisions. 

The above code works quite well
for me in production, where client nodes connect to apache and nginx
servers by HTTPS with certificate based authentication. I'm using self
signed CA though and I don't need revocation lists, so I know nothing of
whether that part of validation is/could be working. 

Just sharing a
simple solution to a simple problem on which I spent more that few hours
in reading, hope this helps the next lost soul 

Best Regards 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-list/attachments/20100929/4dfe6d06/attachment.html>

More information about the Python-list mailing list