[Twisted-Python] SSL: Getting the client certificate

Dirk Loss lists at dirk-loss.de
Thu Aug 30 10:08:01 MDT 2007


David Bolen wrote:
> Not sure if it helps, but here's some old code of mine where I
> experimented with the echo SSL examples to add symmetric certificate
> checking.

Thank you very much for your code. It's useful to see that the peer cert 
could be interpreted in the _verify callback. And your method to 
retrieve all X.509 attributes is quite clever. :)

But I could not get your SSL server and client to work. At least not 
completely: After printing the server's certificates (server.pem and 
ca.pem), the client quits with the following error:

_verify (ok=1):
...
errnum 0, errdepth 0
connection lost (protocol)
connection lost: [('SSL routines', 'SSL3_READ_BYTES', 'sslv3 alert 
certificate unknown'), ('SSL routines', 'SSL3_READ_BYTES', 'ssl 
handshake failure')]

Maybe there's some problem with my certificates. I had successfully 
tested them with OpenSSL, though:

openssl s_server -accept 9000 -Verify 9 -cert server.pem -CAfile ca.pem
openssl s_client -connect localhost:9000 -verify 9 -cert client.pem 
-CAfile ca.pem

(In your code I replaced the "ca/ca.cert" and "ca/all-cas.cert" 
filenames with "ca.pem".)

I get the same error if I use your server and OpenSSL as a client.

If you have any idea, I'll be happy to hear from you again.

For now I will just use use the second method I mentioned in my original 
post: getting the peer certificate in dataReceived() instead of 
connectionMade(). This at least avoids the ugly do_handshake() polling 
loop I had been using. But there's still some DoS risk because a 
malicious client could just wait forever before sending any data (and 
thus before authentication.)

Regards
Dirk




More information about the Twisted-Python mailing list