tags:

views:

43

answers:

1
+2  Q: 

Prevent OpenSSL from using system certificates?

How can I prevent OpenSSL (specifically, Python's ssl module) from using system certificate authorities?

In other words, I would like it to trust only the certificate authorities which I specify, and nothing else:

ssl_socket = ssl.wrap_socket(newsocket, server_side=True, certfile="my_cert.pem",
                             ca_certs=MY_TRUSTED_CAs, # <<< Only CAs specified here
                             cert_reqs=ssl.CERT_REQUIRED, ssl_version=ssl.PROTOCOL_TLSv1)
+1  A: 

I've just run a few tests, and listing your selection of CAs in the ca_certs parameters is exactly what you need.

The system I've tried it on is Linux with Python 2.6. If you don't use ca_certs, it doesn't let you use cert_reqs=ssl.CERT_REQUIRED:

Traceback (most recent call last):
  File "sockettest.py", line 18, in <module>
    cert_reqs=ssl.CERT_REQUIRED, ssl_version=ssl.PROTOCOL_TLSv1)
  File "/usr/lib/python2.6/ssl.py", line 350, in wrap_socket
    suppress_ragged_eofs=suppress_ragged_eofs)
  File "/usr/lib/python2.6/ssl.py", line 113, in __init__
    cert_reqs, ssl_version, ca_certs)
ssl.SSLError: _ssl.c:317: No root certificates specified for verification of other-side certificates.

I've also tried to use a client to send a certificate that's not from a CA in the ca_certs parameter, and I get ssl_error_unknown_ca_alert (as expected).

Note that either way, there's no client-certificate CA list send (in the certificate_authorities list in the CertificateRequest TLS message), but that wouldn't be required. It's only useful to help the client choose the certificate.

Bruno  2010-10-25 16:32:59
But, when the client sends a cert, is the CA trusted by your system? ie, if `MY_PERSONAL_CA`'s certificate is trusted by the system (in my case, I've added it to the OS X system keychain… Not sure off the top of my head what the Linux equivalent is) and `ca_certs = [ TESTING_CA ]`, then I've found that a certificate signed by *either* `MY_PERSONAL_CA` *or* `TESTING_CA` will be accepted. This was Python 2.6 on OS X 10.6.
David Wolever  2010-10-25 17:50:51
So, I suppose, if Linux *doesn't* have a central list of trusted CAs (like the OS X keychain), this is only an issue on OS X? (and, since my embedded systems *aren't* going to be running OS X, safe for me to ignore).
David Wolever  2010-10-25 17:59:46
A friend suggested that `/usr/share/ca-certificates` is the central repository used by some Linux distros… When I get a chance, I'll see what happens with that.
David Wolever  2010-10-25 18:11:32

related questions

Programmatically talking to a Serial Port in OS X or Linux
Best ways to teach a beginner to program?
Calling a Function From a String With the Function's Name in Python
An executable Python app
Text Editor For Linux (Besides Vi)?
What Hosting Service is best for Django applications?
File size differences after copying a file to a server vía FTP
Python: what is the difference between (1,2,3) and [1,2,3], and when should I use each?
Python: What OS am I running on?
How do I make a menu in python that does not require the user to press (enter) to make a selection?
How do you express binary literals in Python?
What is the most efficient graph data structure in Python?
Adding a Method to an Existing Object
How to learn Python: Good Example Code?
How do I use Python's itertools.groupby()?
Python and MySQL
Class views in Django
Is there an IDE that provides code completion for Python
Using 'in' to match an attribute of Python objects in an array
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Continuous Integration System for a Python Codebase
Get a preview jpeg of a pdf on windows?
How can I find the full path to a font from its display name on a Mac?
XML Processing in Python