validating HTTPS certificates?
Hi, (disclaimer: this might be a FAQ entry somewhere but I honestly did use Google) I'm in the process of picking a language for a client application that accesses a HTTPS (actually SOAP) server. This would be easy enough in Python, but I came across a strange fact: neither httplib nor urllib offer the possibility to actually verify the server's certificate. After some digging I've found that from 2.6 onward, the ssl module offers such functionality but it's not trivial, at least for me, to glue that to the HTTP protocol modules (and then those to the SOAP module). Did I miss something? If not, is this feature foreseen, e.g. the trivial build-up of a HTTPS connection while verifying the certificate chain? thanks, Andras -- http://mail.python.org/mailman/listinfo/python-list
Re: validating HTTPS certificates?
On Fri, Jun 26, 2009 at 07:01:24PM +0200, Nobody wrote: > For a urllib-style interface, there's not much point in performing > verification after the fact. Either the library performs verification or > it doesn't. If it doesn't, you've just sent the (potentially confidential) > request to an unknown server; discovering this after the fact doesn't > really help. I was more thinking about supplying a/some CA certificate(s) and requiring that the site cert be valid (otherwise the connection should fail). This sounds very EAFP to me. Andras -- http://mail.python.org/mailman/listinfo/python-list
Re: validating HTTPS certificates?
> validation. Validation should just be a matter of passing > cert_reqs=CERT_REQUIRED and ca_certs= to ssl.wrap_socket(), then checking > that SSLSocket.getpeercert() returns a non-empty dictionary. That'd be cool unless I can't use an already-open socket (by SSL, for verification) in any of the built-in HTTP engines, by the look of it. Andras -- http://mail.python.org/mailman/listinfo/python-list
