Secure ssl connection with wrap_socket

AndDM anddimario at gmail.com
Wed Jul 6 10:44:16 CEST 2011


On Jul 5, 4:08 pm, Jean-Paul Calderone <calderone.jeanp... at gmail.com>
wrote:
> On Jul 5, 4:52 am, Andrea Di Mario <anddima... at gmail.com> wrote:
>
> > Hi, I'm a new python user and I'm writing a small web service with ssl.
> > I want use a self-signed certificate like in wiki:http://docs.python.org/dev/library/ssl.html#certificates
> > I've used wrap_socket, but if i try to use
> > cert_reqs=ssl.CERT_REQUIRED, it doesn't work with error:
>
> > urllib2.URLError: <urlopen error _ssl.c:326: No root certificates
> > specified for verification of other-side certificates.>
>
> > It works only with CERT_NONE (the default) but with this option i
> > could access to the service in insicure mode.
>
> > Have you some suggestions for my service?
>
> Also specify some root certificates to use in verifying the peer's
> certificate.  Certificate verification works by proceeding from a
> collection of "root" certificates which are explicitly trusted.  These
> are used to sign other certificates (which may in turn be used to sign
> others, which in turn...).  The process of certificate verification is
> the process of following the signatures from the certificate in use by
> the server you connect to back up the chain until you reach a root
> which you have either decided to trust or not.  If the signatures are
> all valid and the root is one you trust, then you have established a
> connection to a trusted entity.  If any signature is invalid, or the
> root is not one you trust, then you have not.
>
> The root certificates are also called the "ca certificates" or
> "certificate authority certificates".  `wrap_socket` accepts a
> `ca_certs` argument.  Seehttp://docs.python.org/library/ssl.html#ssl-certificates
> for details about that argument.
>
> Jean-Paul

Hi Jean-Paul, i thought that with self-signed certificate i shouldn't
use ca_certs option. Now, i've created a ca-authority and i use this
command:

 self.sock = ssl.wrap_socket(sock, certfile = "ca/certs/
myfriend.cert.pem", keyfile = "ca/private/myfriend.key.pem",
ca_certs="/home/andrea/ca/certs/cacert.pem",
cert_reqs=ssl.CERT_REQUIRED)

When i use the some machine as client-server it works, but, when i use
another machine as client, i've this:

Traceback (most recent call last):
  File "loginsender.py", line 48, in <module>
    handle = url_opener.open('https://debian.andrea.it:10700/%s+%s' %
(DATA,IPIN))
  File "/usr/lib/python2.6/urllib2.py", line 391, in open
    response = self._open(req, data)
  File "/usr/lib/python2.6/urllib2.py", line 409, in _open
    '_open', req)
  File "/usr/lib/python2.6/urllib2.py", line 369, in _call_chain
    result = func(*args)
  File "loginsender.py", line 33, in https_open
    return self.do_open(self.specialized_conn_class, req)
  File "/usr/lib/python2.6/urllib2.py", line 1145, in do_open
    raise URLError(err)
urllib2.URLError: <urlopen error [Errno 185090050] _ssl.c:328: error:
0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib>

I see that i should create a certificate with server, client and ca
autority, but i haven't clear the ca_certs option and which path i
should use.
Have you any suggestion?

Thank. Regards.



More information about the Python-list mailing list