[Twisted-Python] SSL problem

Steve Freitas sflist at ihonk.com
Thu Dec 21 21:55:14 EST 2006


Thanks JP.

On Thu, 2006-12-21 at 11:04 -0500, Jean-Paul Calderone wrote:
> You have two pieces of data which are yours -  your private key and your
> certificate (which is a csr signed by RapidSSL).  The client needs (at
> least) one more piece of information, though - RapidSSL's certificate.

I found it here:

http://www.rapidssl.com/cps/rapidssl_01.cer

At least, I believe that's right, since despite some looking around, I'm
not sure how to verify by hand that my cert was signed by that CA. (I
played with openssl verify but it gave the OK to my cert without
pointing it at RapidSSL's root cert file, so I don't know that it's
doing what I want.) I've attached my cert in case you're interested.

> Try this.  Put RapidSSL's certificate into a file, subclass
> DefaultOpenSSLContextFactory, override cacheContext, and on self._context,
> call use_certificate_chain_file with the name of the file you put RapidSSL's
> certificate into.
> 
> This causes the server to include it in the handshake which is often
> required for clients to accept your certificate as valid.

Okay, I tried that...

class MyOpenSSLContextFactory(ssl.DefaultOpenSSLContextFactory):
    def cacheContext(self):
        ssl.DefaultOpenSSLContextFactory.cacheContext(self)
        self._context.use_certificate_chain_file(CA_CERT_FILE)

...and nothing at all would connect to it. But read on...

> At some point, I think connectionLost for SSL connections was adjusted
> so that the SSL exception would be available.  However, the important
> information is going to be on the client side <snip>

So based on this information, I whipped up a Twisted SSL client to hit
it so see what's wrong, and it tossed this out:

2006/12/21 20:36 CST [POP3Client,client] Traceback (most recent call
last):
        Failure: OpenSSL.SSL.Error: [('SSL routines', 'SSL3_READ_BYTES',
'sslv3 alert handshake failure'), ('SSL routines', 'SSL3_WRITE_BYTES',
'ssl handshake failure')]

Not sure if that's informative enough to suggest a next step!

Thanks for your help,

Steve
-------------- next part --------------
-----BEGIN CERTIFICATE-----
MIIDRTCCAq6gAwIBAgIDBSYeMA0GCSqGSIb3DQEBBAUAMFoxCzAJBgNVBAYTAlVT
MRwwGgYDVQQKExNFcXVpZmF4IFNlY3VyZSBJbmMuMS0wKwYDVQQDEyRFcXVpZmF4
IFNlY3VyZSBHbG9iYWwgZUJ1c2luZXNzIENBLTEwHhcNMDYxMjIwMjA1OTAzWhcN
MDcxMjIxMjA1OTAzWjCBtDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEW1haWwuaGFt
YmVycnkuY29tMRMwEQYDVQQLEwpHVDAxNzg0NDM4MScwJQYDVQQLEx5TZWUgd3d3
LnJhcGlkc3NsLmNvbS9jcHMgKGMpMDUxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9s
IFZhbGlkYXRlZCAtIFJhcGlkU1NMKFIpMRowGAYDVQQDExFtYWlsLmhhbWJlcnJ5
LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwhbwBpjWAPoh7RycuNmh
LTPRea2Sn1vBJjOEh4Ykz9ygU9Jg1oYrehcdbE8Kr67sqYmBXP9Cc9E1ggze5MSP
Ah4+LN4HvhrBJejFHL3EIJsw4zNHs5oaQotTESXTcCQaoY0+TYg4F+naFsbIg8wu
bx+d3wTLbD/ra1X2T21fdBMCAwEAAaOBvTCBujAOBgNVHQ8BAf8EBAMCBPAwHQYD
VR0OBBYEFBIbxks9N2DLNItskPfnvkchalyMMDsGA1UdHwQ0MDIwMKAuoCyGKmh0
dHA6Ly9jcmwuZ2VvdHJ1c3QuY29tL2NybHMvZ2xvYmFsY2ExLmNybDAfBgNVHSME
GDAWgBS+qKB0clBrRLfJI9j7qP+zV2tobDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOBgQBmfT5Tzsft
qnvYrK71y7SHnUHM3dlDaRY4uLb1poE/BktG4eYGsKoBi/2bBK3rdgPi0NchaFqq
bJxJOnjYQFSmpMgeFp5jEYlJGIiZalhXh7sPtz+dBfD4sGEd5y3L9Oyu60DokmbL
EqemXOWWeQpa25IKUWcNt9O7jeoHRZSrYg==
-----END CERTIFICATE-----


More information about the Twisted-Python mailing list