[Twisted-Python] ISSLTransport.getPeerCertificate returning None?
Laurens Van Houtven
_ at lvh.io
Tue Dec 10 02:21:02 MST 2013
On Tue, Dec 10, 2013 at 9:41 AM, Phil Mayers <p.mayers at imperial.ac.uk>wrote:
> Unless you set the appropriate verify options on the server side too, the
> client cert isn't available for inspection.
>
A-ha! But I want to do TOFU-POP; the certs are generated by the client, and
there's little point in me signing them (I don't need to be able to verify
that I ever signed them somewhere else).
The context factory I got from PrivateCertificate.options() doesn't seem to
do what I want, so I wrote my own SSL ContextFactory like it's 1999; I used
VERIFY_PEER with a callback that always claims it validated:
class ContextFactory(object):
def getContext(self):
ctx = Context(TLSv1_METHOD)
ctx.use_certificate_file("cert.pem")
ctx.use_privatekey_file("key.pem")
ctx.set_verify(VERIFY_PEER, _verify)
return ctx
def _verify(connection, x509, errorNumber, errorDepth, returnCode):
"""Always pretend the certificate verified.
"""
return True
Does that sound about right, or is there an easier way to do this? (Yeah,
yeah, don't hardcode paths etc :))
cheers
lvh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://twistedmatrix.com/pipermail/twisted-python/attachments/20131210/bf7837ec/attachment.html>
More information about the Twisted-Python
mailing list