[Twisted-Python] SSL: Getting the client certificate

[Jean-Paul Calderone]

On Sun, 26 Aug 2007 22:23:49 +0200, Dirk Loss <lists at dirk-loss.de> wrote:
>Jean-Paul Calderone wrote:
>>This solution has at least two related problems:
>>  * it will block the reactor until the handshake for that client completes,
>
>Yes, it's ugly. Not being able to run other application code is no problem 
>in my case, so I thought I could live with that. But the possibe DoS attack 
>you mentioned should be avoided, of course.
>>The ideal solution would be to fix the bug in Twisted's SSL support so that
>>connectionMade is called at the right time.
>
>This would be nice. Maybe I should take a deeper look at Twisted's SSL code.
>>Another possible solution might be to do your verification using the SSL 
>>context object.
>
>Could you elaborate on this? I think I am already using the SSL context 
>object to do the verification:
>
>theCert = ssl.PrivateCertificate.loadPEM(open(myKey).read())
>theCA = ssl.Certificate.loadPEM(open(trustedCA).read())
>ctx = theCert.options(theCA)
>ctx.verify = True
>ctx.verifyDepth = 9
>ctx.requireCertificate = True
>ctx.verifyOnce = False
>application = service.Application("MySSLServer")
>MyService = internet.SSLServer(listenport, MyAppFactory(), ctx)
>MyService.setServiceParent(application)
>
>(Above code obviously will not run. Just to show the basic steps I take.)

CertificateOptions doesn't directly support a custom verification callback,
which I think is what you want, but it does use that feature in order to log
SSL errors.  If you take a look at the implementation, you'll see a nested
function named _trackVerificationProblems.  If this could be customized by
application code, then it could do things like check hostnames.  I forget why
this isn't exposed to applications.  I think someone suggested that it wasn't
actually what you wanted to do, but I don't remember any more details than
that.

Jean-Paul