Does python ssl module validate correctly? (I have a strange example that bothers me)

Question

Does python ssl module validate correctly? (I have a strange example that bothers me)

Problem:

The Python ssl module does not complain about the certificate, although the issuing CA is not provided in the cacert.pem file (test example 2 below). I use CA extracted from Mozilla. Firefox correctly complains about an unknown CA (in this case, the Department of Defense).

It seems that only the certificate itself receives confirmation, and not that the CA is known. I am running Python 2.7.1 and using sssl version of OpenSSL 0.9.8r.

Test cases:

Check out the following sites in Firefox and with the python example below.

https://www.verisign.com - should work, CA is known
https://www.us.army.mil - should not work because CA is unknown
https://www.pcwebshop.co.uk - should not work, only Parallels Panel certificate

Case 2. is checked by the python client, although it should not.

Case 3. throws an exception as expected:

routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Python client example:

CA file: http://curl.haxx.se/ca/cacert.pem (mozilla default CAs using fillet support).

A slightly modified version of http://docs.python.org/library/ssl.html#client-side-operation :

# test_ssl.py   
import socket, ssl, pprint, sys
host = sys.argv[1]

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# require a certificate from the server
ssl_sock = ssl.wrap_socket(s,
                           # http://curl.haxx.se/ca/cacert.pem
                           ca_certs="cacert.pem", 
                           cert_reqs=ssl.CERT_REQUIRED)

ssl_sock.connect((host, 443))

print repr(ssl_sock.getpeername())
print ssl_sock.cipher()
print pprint.pformat(ssl_sock.getpeercert())

# Set a simple HTTP request -- use httplib in actual code.
ssl_sock.write("""GET / HTTP/1.0\r
Host: """ + host + """\r\n\r\n""")

# Read a chunk of data.  Will not necessarily
# read all the data returned by the server.
data = ssl_sock.read()
print data

# note that closing the SSLSocket will also close the underlying socket
ssl_sock.close()

Using:

python test_ssl.py www.verisign.com
python test_ssl.py www.us.army.mil
python test_ssl.py www.pcwebshop.co.uk

UPDATE:

With strcat and others, I can confirm that this behavior is specific to:

OSX Lion 10.7.1
Python 2.7.1 and Python 2.6.7
OpenSSL 0.9.8r February 8, 2011

. , OpenSSL mac CA , . , www.us.army.mil , , , . - opensl Mac?

+5

python security certificate ssl https

snies 07 . '12 6:43

2

Apple OpenSSL, , , . : http://www.opensource.apple.com/source/OpenSSL098/OpenSSL098-32/src/crypto/x509/x509_vfy_apple.c

, python openssl, openssl.org, TEA.

+1

maranas 23 . '12 8:27

snies · Accepted Answer · 2012-03-07T10:20:17+0000

:

, OSX openssl , , python.

www.us.army.mil , , , (http://royal.pingdom.com/2008/08/19/new-ssl-policy-in- Firefox------/). , CA OSX DoD, Safari , python.

Keychan Access → System Roots → Certificates, python , , python ssl/OpenSSL OSX 10.7.1 , . , , .

Does python ssl module validate correctly? (I have a strange example that bothers me)

More articles: