[Twisted-Python] where to getPeerCertificate()

Eli Criffield elicriffield at gmail.com
Thu Jun 7 17:14:38 EDT 2007

I'd like to check the CN of incoming certs for a xmlrpc server. I
can't seen to find where to get the clients cert information.

In the protocol.Protocol (in my case the http.HTTPCHannel) in the
connectionMade() i put in a
print self.transport.getPeerCertificate()
but it returns a None.
print self.transport.socket.get_peer_certificate()
Does the same. I'm sure the client is connecting with a cert because
its verifying it fine.

I also have no idea where to check on client program to get the cert
info of the server I'm connecting to.

Eli Criffield

#!/usr/bin/env python

from twisted.web import xmlrpc, server, http, resource
from twisted.internet import reactor, ssl
from twisted.python.log import startLogging
from sys import stdout
import OpenSSL

class Example(xmlrpc.XMLRPC):
    """An example object to be published."""
    def xmlrpc_add(self, a, b):
        """Return sum of arguments."""
        return a + b

class myHTTPChannel(http.HTTPChannel):
    def connectionMade(self):
        print "connection from %s"%(self.transport.getHost().host,)
        # HERE i get no cert
        print self.transport.socket.get_peer_certificate()
        print self.transport.getPeerCertificate()

class mySite(server.Site):
       protocol = myHTTPChannel

def makeSSLContext(myKey,trustedCA):
    '''Returns an ssl Context Object
   @param myKey a pem formated key and certifcate with for my current host
          the other end of this connection must have the cert from the CA
          that signed this key
   @param iTrustCA a pem formated certificat from a CA you trust
          you will only allow connections from clients signed by this CA
          and you will only allow connections to a server signed by this CA
    fd = open(myKey,'r')
    theCert = ssl.PrivateCertificate.loadPEM(fd.read())
    fd = open(trustedCA,'r')
    theCA = ssl.Certificate.loadPEM(fd.read())
    ctx = theCert.options(theCA)
    # The SSL protocol to use, one of SSLv23_METHOD, SSLv2_METHOD,
    # SSLv3_METHOD, TLSv1_METHOD. Defaults to TLSv1_METHOD.
    ctx.method = ssl.SSL.TLSv1_METHOD

    # If True, verify certificates received from the peer and fail
    # the handshake if verification fails. Otherwise, allow anonymous
    # sessions and sessions with certificates which fail validation.
    ctx.verify = True

    # Depth in certificate chain down to which to verify.
    ctx.verifyDepth = 1

    # If True, do not allow anonymous sessions.
    ctx.requireCertification = True

    # If True, do not re-verify the certificate on session resumption.
    ctx.verifyOnce = True

    # If True, generate a new key whenever ephemeral DH parameters are used
    # to prevent small subgroup attacks.
    ctx.enableSingleUseKeys = True

    # If True, set a session ID on each context. This allows a shortened
    # handshake to be used when a known client reconnects.
    ctx.enableSessions = True

    # If True, enable various non-spec protocol fixes for broken
    # SSL implementations.
    ctx.fixBrokenPeers = False

    return ctx

if __name__ == '__main__':
    r = Example()
    ctx = makeSSLContext('server.pem','cacert.pem')

More information about the Twisted-Python mailing list