Menu
▾
▴
Re: [pyOpenSSL] How can I verify client that the client is signed by me?
|
From: Sebastian G. <seb...@gm...> - 2008-09-17 19:27:21
|
-----Oprindelig meddelelse----- Fra: pyo...@li... [mailto:pyo...@li...] På vegne af Jean-Paul Calderone Sendt: 17. september 2008 20:30 Til: pyo...@li... Emne: Re: [pyOpenSSL] How can I verify client that the client is signed by me? <snip /> >If you want to make sure the client's certificate is signed by a particular >key which your server has, then you should specify that key's corresponding >certificate as a trusted CA certificate (with a method of the context object, >perhaps load_verify_locations, though there are a bunch of functions which >do similar things, the correct one for you may depend on some other factors). > Thats exactly what I'm trying to do. However I can't make the load_verify_locations Function work. Executing the code below I get (<class exceptions.AttributeError at 0x2b891d0596b0>, <exceptions.AttributeError instance at 0x2b891ed9d758>, <traceback object at 0x2b891ed9d830>) 71 def _verify(self, conn, cert, errno, depth, retcode): 72 try: 73 cert.load_verify_locations(self.caFile) 74 except: 75 print sys.exc_info() >Then, make sure you respect OpenSSL's decision in the verify callback. This >is given by the `retcode` parameter. If the client's certificate is not >signed by a certificate you told the context object to consider a trusted CA >certificate, `retcode` will be false. You can add whatever additional >checks you want on top of that (ie, for the subject's name or what have you) >but if `retcode` is false, you should return false from the verify function. I'd very much like to do so :) But does that mean that I should set it to something or check it or what? Best regards, Seb |
