Menu
▾
▴
pyopenssl-list — General discussion list for users and developers of pyOpenSSL
You can subscribe to this list here.
| 2002 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(6) |
Aug
(9) |
Sep
(2) |
Oct
(15) |
Nov
(1) |
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 |
Jan
(17) |
Feb
(2) |
Mar
(3) |
Apr
(2) |
May
(1) |
Jun
|
Jul
(9) |
Aug
(4) |
Sep
|
Oct
|
Nov
(4) |
Dec
(1) |
| 2004 |
Jan
|
Feb
(2) |
Mar
(7) |
Apr
(1) |
May
|
Jun
|
Jul
(4) |
Aug
(6) |
Sep
(13) |
Oct
(5) |
Nov
(1) |
Dec
(4) |
| 2005 |
Jan
(1) |
Feb
(7) |
Mar
(2) |
Apr
(2) |
May
|
Jun
(1) |
Jul
(7) |
Aug
(5) |
Sep
(3) |
Oct
(4) |
Nov
|
Dec
(1) |
| 2006 |
Jan
(1) |
Feb
|
Mar
(3) |
Apr
(1) |
May
|
Jun
(7) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(9) |
Dec
(2) |
| 2007 |
Jan
(4) |
Feb
|
Mar
(2) |
Apr
(1) |
May
(5) |
Jun
(6) |
Jul
|
Aug
(7) |
Sep
|
Oct
(1) |
Nov
(2) |
Dec
|
| 2008 |
Jan
(2) |
Feb
|
Mar
(10) |
Apr
(4) |
May
(3) |
Jun
(3) |
Jul
(5) |
Aug
(2) |
Sep
(30) |
Oct
(12) |
Nov
(5) |
Dec
(2) |
| 2009 |
Jan
(7) |
Feb
(1) |
Mar
(26) |
Apr
(20) |
May
(4) |
Jun
(1) |
Jul
(7) |
Aug
(21) |
Sep
(2) |
Oct
(9) |
Nov
(8) |
Dec
|
| 2010 |
Jan
(4) |
Feb
(5) |
Mar
(3) |
Apr
(1) |
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
(5) |
Nov
(3) |
Dec
|
| 2011 |
Jan
(1) |
Feb
|
Mar
|
Apr
(13) |
May
|
Jun
|
Jul
|
Aug
(3) |
Sep
(1) |
Oct
(6) |
Nov
(11) |
Dec
|
| 2012 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
(1) |
Jun
|
Jul
(1) |
Aug
(13) |
Sep
(1) |
Oct
|
Nov
|
Dec
(3) |
|
From: <ex...@tw...> - 2012-12-14 17:54:34
|
On 10:14 am, ma...@eg... wrote: >Hi Jean-Paul, > >BTW: What benefit do you see in switching mailing list hosts ? >Why not use python.org as host instead of LP or SF ? (I can >help with a python.org transition) I'd like to get pyOpenSSL entirely off of sourceforge so that I no longer need to interact with sourceforge (as doing so is a perpetually unpleasant experience). I think everyone else in the community would benefit from this as well. I chose Launchpad because it was easy to set up, and because that's where the rest of pyOpenSSL's infrastructure has moved. This was meant to make things easier and reduce confusion amongst potential community members. I'm not sure this has succeeded. As you point out, there are some problems with Launchpad. If you'd like to spearhead a move of the mailing list to python.org-based hosting, that's fine with me. I can't offer much help with that move, but I'll do whatever I can to remove any roadblocks you encounter. Jean-Paul |
|
From: M.-A. L. <ma...@eg...> - 2012-12-14 10:14:54
|
Hi Jean-Paul, I find a couple of minor issues with the move you are suggesting: * The launchpad list is *very* hard to find on the project page: It's hidden away in the "Answers" tab in a small box named "Answer contacts for pyOpenSSL", which then finally let's you arrive at: https://launchpad.net/~pyopenssl-users * You have to be a team member to subscribe to the list I don't know what other implications "team member" has, but at the very least you have to sign up on Launchpad to subscribe to the mailing list, which is not required for the SF list. * The subscriber list is publicly visible, unlike for the SF list. This is not a major bummer, but certainly a privacy issue for some. This can all be fixed, I suppose (I don't know anything about LP mailing list configurations). To make the transition smooth, I'd suggest to get the SF mailing list archive imported into LP, configure the LP mailing list like the SF one (no public membership roster, no LP signup requirement) and put a link to the mailing list right on the project's overview page. Then switch off the SF list, to avoid cross postings to both lists. BTW: What benefit do you see in switching mailing list hosts ? Why not use python.org as host instead of LP or SF ? (I can help with a python.org transition) -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Dec 14 2012) >>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ 2012-12-14: Released mxODBC.Connect 2.0.2 ... http://egenix.com/go38 2012-12-05: Released eGenix pyOpenSSL 0.13 ... http://egenix.com/go37 2012-11-28: Released eGenix mx Base 3.2.5 ... http://egenix.com/go36 2013-01-22: Python Meeting Duesseldorf ... 39 days to go eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ |
|
From: eGenix T. M.-A. L. <in...@eg...> - 2012-12-05 09:30:15
|
________________________________________________________________________
ANNOUNCING
eGenix.com pyOpenSSL Distribution
Version 0.13.0-1.0.1c
An easy-to-install and easy-to-use distribution
of the pyOpenSSL Python interface for OpenSSL -
available for Windows, Mac OS X and Unix platforms
This announcement is also available on our web-site for online reading:
http://www.egenix.com/company/news/eGenix-pyOpenSSL-Distribution-0.13.0-1.0.1c-1.html
________________________________________________________________________
INTRODUCTION
The eGenix.com pyOpenSSL Distribution includes everything you need to
get started with SSL in Python.
It comes with an easy-to-use installer that includes the most recent
OpenSSL library versions in pre-compiled form, making your application
independent of OS provided OpenSSL libraries:
http://www.egenix.com/products/python/pyOpenSSL/
pyOpenSSL is an open-source Python add-on that allows writing SSL/TLS-
aware network applications as well as certificate management tools:
https://launchpad.net/pyopenssl/
OpenSSL is an open-source implementation of the SSL/TLS protocol:
http://www.openssl.org/
________________________________________________________________________
NEWS
This new release of the eGenix.com pyOpenSSL Distribution updates the
included OpenSSL version to 1.0.1c.
New features in OpenSSL 1.0.1c since 1.0.0j
-------------------------------------------
OpenSSL 1.0.1c includes several new features:
* TLS/DTLS heartbeat support
* Next Protocol Negotiation
* Support TLS v1.2 and TLS v1.1
as well as several other new features:
http://lwn.net/Articles/486426/
fixes vulnerabilities relative to 1.0.0j:
http://openssl.org/news/vulnerabilities.html
and includes a number of stability enhancements as well as extra
protection against attacks:
http://openssl.org/news/changelog.html
New features in the eGenix pyOpenSSL Distribution
-------------------------------------------------
* Added the openssl binary to the OpenSSL package directory. This can
be used to access OpenSSL functionality not exposed by pyOpenSSL.
* Changed the Windows OPENSSLDIR default to c:\openssl\ to simplify
OpenSSL configuration.
* Fixed OpenSSL assembler build issues on Windows x64 and Mac OS X
PPC/x86.
As always, we provide binaries that include both pyOpenSSL and the
necessary OpenSSL libraries for all supported platforms:
Windows x86 and x64, Linux x86 and x64, Mac OS X PPC, x86 and x64.
We've also added egg-file distribution versions of our eGenix.com
pyOpenSSL Distribution for Windows, Linux and Mac OS X to the
available download options. These make setups using e.g. zc.buildout
and other egg-file based installers a lot easier.
________________________________________________________________________
DOWNLOADS
The download archives and instructions for installing the package can
be found at:
http://www.egenix.com/products/python/pyOpenSSL/
________________________________________________________________________
UPGRADING
Before installing this version of pyOpenSSL, please make sure that
you uninstall any previously installed pyOpenSSL version. Otherwise,
you could end up not using the included OpenSSL libs.
_______________________________________________________________________
SUPPORT
Commercial support for these packages is available from eGenix.com.
Please see
http://www.egenix.com/services/support/
for details about our support offerings.
________________________________________________________________________
MORE INFORMATION
For more information about the eGenix pyOpenSSL Distributon, licensing
and download instructions, please visit our web-site or write to
sa...@eg....
Enjoy,
--
Marc-Andre Lemburg
eGenix.com
Professional Python Services directly from the Source (#1, Dec 05 2012)
>>> Python Projects, Consulting and Support ... http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
________________________________________________________________________
2012-11-28: Released eGenix mx Base 3.2.5 ... http://egenix.com/go36
2013-01-22: Python Meeting Duesseldorf ... 48 days to go
::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
http://www.egenix.com/company/contact/
|
|
From: James C. <jam...@jv...> - 2012-09-02 06:50:18
|
Thanks for your help, consider this problem resolved. Cheers for the pointer to the unit tests! J On Fri, Aug 31, 2012 at 2:49 PM, <ex...@tw...> wrote: > On 30 Aug, 04:46 pm, jam...@jv... wrote: >>Hi, >> >>I believe that as of 0.11, pyOpenSSL has started supporting the >>verification of signatures. I am working on a project which was >>started by someone else using M2Crypto. M2Crypto is really painful to >>include on platforms such as Heroku as it requires the use of SWIG. >>Consequently I am trying to remove the dependency on M2Crypto and >>replace with pyOpenSSL which is easy to install via Pip, and doesn't >>require custom buildpacks and more which SWIG-related things do. >> >>The link to the original code is >>[here](https://github.com/pyroven/django-pyroven) and requires a >>reasonably significant refactoring, as it falls a long way from 12 >>Factor App ideals. However, I wanted to know whether I was on the >>right track for replacing the M2Crypto functions, which at present >>consist: >> >>key = cert.get_pubkey() # Cert is an M2Crypto X509 object >>key = key.get_rsa() >>ret = key.verify(hashed, self.sig) >>if ret != 1: >> # Cert invalid ... etc. >> >>I tried to replace this with: >> >>crypto.verify(cert, self.sig, hashed, 'sha1') # cert X509 object from >>crypto.load_certificate() >> >>Which I had assumed was roughly equivalent to the above, but I wonder >>whether I got the wrong end of the stick having read through the >>source as to what crypto.verify was actually doing. >> >>At the present time I end up with the Exception: >> >>[('rsa routines', 'RSA_verify', 'bad signature')] >> >>Which is difficult to tell whether the code is right and the >>hash/verification is correctly failing, or whether I'm actually doing >>something which is fundamentally incorrect. > > Hi James, > > Consider the unit test for OpenSSL.crypto.verify (which passes on my > system): > > http://bazaar.launchpad.net/~exarkun/pyopenssl/trunk/view/head:/OpenSSL/test/test_crypto.py#L2750 > > (Sorry about the broken URL :/) > > It looks like you're doing roughly the right thing, at least as far as > pyOpenSSL is concerned. > > Unrelatedly, I'm copying pyo...@li... on my > reply, as I'd prefer to switch pyOpenSSL completely off of sourceforge > at some point. >>Thanks for your help! >> >>J >> >>------------------------------------------------------------------------------ >>Live Security Virtual Conference >>Exclusive live event will cover all the ways today's security and >>threat landscape has changed and how IT managers can respond. >>Discussions >>will include endpoint security, mobile security and the latest in >>malware >>threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >>_______________________________________________ >>pyopenssl-list mailing list >>pyo...@li... >>https://lists.sourceforge.net/lists/listinfo/pyopenssl-list > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > pyopenssl-list mailing list > pyo...@li... > https://lists.sourceforge.net/lists/listinfo/pyopenssl-list |
|
From: <ex...@tw...> - 2012-08-31 13:50:20
|
On 30 Aug, 04:46 pm, jam...@jv... wrote: >Hi, > >I believe that as of 0.11, pyOpenSSL has started supporting the >verification of signatures. I am working on a project which was >started by someone else using M2Crypto. M2Crypto is really painful to >include on platforms such as Heroku as it requires the use of SWIG. >Consequently I am trying to remove the dependency on M2Crypto and >replace with pyOpenSSL which is easy to install via Pip, and doesn't >require custom buildpacks and more which SWIG-related things do. > >The link to the original code is >[here](https://github.com/pyroven/django-pyroven) and requires a >reasonably significant refactoring, as it falls a long way from 12 >Factor App ideals. However, I wanted to know whether I was on the >right track for replacing the M2Crypto functions, which at present >consist: > >key = cert.get_pubkey() # Cert is an M2Crypto X509 object >key = key.get_rsa() >ret = key.verify(hashed, self.sig) >if ret != 1: > # Cert invalid ... etc. > >I tried to replace this with: > >crypto.verify(cert, self.sig, hashed, 'sha1') # cert X509 object from >crypto.load_certificate() > >Which I had assumed was roughly equivalent to the above, but I wonder >whether I got the wrong end of the stick having read through the >source as to what crypto.verify was actually doing. > >At the present time I end up with the Exception: > >[('rsa routines', 'RSA_verify', 'bad signature')] > >Which is difficult to tell whether the code is right and the >hash/verification is correctly failing, or whether I'm actually doing >something which is fundamentally incorrect. Hi James, Consider the unit test for OpenSSL.crypto.verify (which passes on my system): http://bazaar.launchpad.net/~exarkun/pyopenssl/trunk/view/head:/OpenSSL/test/test_crypto.py#L2750 (Sorry about the broken URL :/) It looks like you're doing roughly the right thing, at least as far as pyOpenSSL is concerned. Unrelatedly, I'm copying pyo...@li... on my reply, as I'd prefer to switch pyOpenSSL completely off of sourceforge at some point. >Thanks for your help! > >J > >------------------------------------------------------------------------------ >Live Security Virtual Conference >Exclusive live event will cover all the ways today's security and >threat landscape has changed and how IT managers can respond. >Discussions >will include endpoint security, mobile security and the latest in >malware >threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >_______________________________________________ >pyopenssl-list mailing list >pyo...@li... >https://lists.sourceforge.net/lists/listinfo/pyopenssl-list |
|
From: James C. <jam...@jv...> - 2012-08-30 17:13:20
|
Hi, I believe that as of 0.11, pyOpenSSL has started supporting the verification of signatures. I am working on a project which was started by someone else using M2Crypto. M2Crypto is really painful to include on platforms such as Heroku as it requires the use of SWIG. Consequently I am trying to remove the dependency on M2Crypto and replace with pyOpenSSL which is easy to install via Pip, and doesn't require custom buildpacks and more which SWIG-related things do. The link to the original code is [here](https://github.com/pyroven/django-pyroven) and requires a reasonably significant refactoring, as it falls a long way from 12 Factor App ideals. However, I wanted to know whether I was on the right track for replacing the M2Crypto functions, which at present consist: key = cert.get_pubkey() # Cert is an M2Crypto X509 object key = key.get_rsa() ret = key.verify(hashed, self.sig) if ret != 1: # Cert invalid ... etc. I tried to replace this with: crypto.verify(cert, self.sig, hashed, 'sha1') # cert X509 object from crypto.load_certificate() Which I had assumed was roughly equivalent to the above, but I wonder whether I got the wrong end of the stick having read through the source as to what crypto.verify was actually doing. At the present time I end up with the Exception: [('rsa routines', 'RSA_verify', 'bad signature')] Which is difficult to tell whether the code is right and the hash/verification is correctly failing, or whether I'm actually doing something which is fundamentally incorrect. Thanks for your help! J |
|
From: <phi...@st...> - 2012-08-24 15:10:10
|
Hi Richard and Jean-Paul, Thanks for the feedback and pointers. I will take a look at the feasibility and discuss with colleagues here who've also had experience with the OpenSSL interfaces. You've pretty much re-enforced my impressions of it from anecdotal evidence elsewhere. Cheers, Phil On 24/08/2012 09:53, "Richard Moore" <ric...@gm...> wrote: >On 23 August 2012 19:28, <ex...@tw...> wrote: >> What I *mostly* know is that the OpenSSL APIs are terrible, and >> generally each in their own unique way. Coming up with an approach to >> wrap a new OpenSSL API in pyOpenSSL usually involves stumbling around >> the documentation for a while, hoping to come across a nice looking >> function, then giving up on that and wandering through the source for a >> while (sometimes you can even find the implementation of a function), >> then giving up on that and looking around for other open source >> applications that do roughly the same kind of thing you think you want >> to do and reading their source instead. Between those three sources of >> information, it's sometimes possible to understand what APIs exist to >> accomplish your goal and how they are used. > >That pretty much sums up my experience of working with it. There are a >couple of books out there that can help you get started too. > >[snip] >> 3. The current extension API which operates in terms of strings is >> broken and hides some features of arbitrary extensions. I forget >> exactly how, though. It is something like "Extension data is treated as >> a string value, prohibiting the use of any extensions which have non- >> string data", but perhaps it's extension names that are the problem and >> not data, or perhaps it's only one of the accessor APIs where this >> mistake is made, I can't remember, and looking at the code now, I don't >> understand/remember the OpenSSL APIs well enough to be able to tell. > >Extensions can be structured. > >> >> 4. Apparently only extensions with names recognized by OpenSSL are >> supported now. It looks like you want to specify an extension by its >> OID, which I presume requires the use of a different API than pyOpenSSL >> is currently using (ie, perhaps you cannot do this with >> X509V3_EXT_nconf). So the approach taken to implement extension get/set >> may require exploring an alternate API. >> >> I realize this probably provides more questions than answers, but off >> the top of my head it's the best I can do. Perhaps someone on the list >> more familiar with the OpenSSL extension APIs can help answer some of >> these. > >I've written a generic read-only API for extensions for Qt (linked >below). It supports some extensions directly (eg. basic constraints) >but also supports converting the arbitrary ASN.1 structures into >nested lists etc. A similar approach could work in python. If there's >anything in the code you have questions about feel free to ask. > >https://codereview.qt-project.org/#change,7976 > >Cheers > >Rich. -- Scanned by iCritical. |
|
From: Richard M. <ric...@gm...> - 2012-08-24 08:54:06
|
On 23 August 2012 19:28, <ex...@tw...> wrote: > What I *mostly* know is that the OpenSSL APIs are terrible, and > generally each in their own unique way. Coming up with an approach to > wrap a new OpenSSL API in pyOpenSSL usually involves stumbling around > the documentation for a while, hoping to come across a nice looking > function, then giving up on that and wandering through the source for a > while (sometimes you can even find the implementation of a function), > then giving up on that and looking around for other open source > applications that do roughly the same kind of thing you think you want > to do and reading their source instead. Between those three sources of > information, it's sometimes possible to understand what APIs exist to > accomplish your goal and how they are used. That pretty much sums up my experience of working with it. There are a couple of books out there that can help you get started too. [snip] > 3. The current extension API which operates in terms of strings is > broken and hides some features of arbitrary extensions. I forget > exactly how, though. It is something like "Extension data is treated as > a string value, prohibiting the use of any extensions which have non- > string data", but perhaps it's extension names that are the problem and > not data, or perhaps it's only one of the accessor APIs where this > mistake is made, I can't remember, and looking at the code now, I don't > understand/remember the OpenSSL APIs well enough to be able to tell. Extensions can be structured. > > 4. Apparently only extensions with names recognized by OpenSSL are > supported now. It looks like you want to specify an extension by its > OID, which I presume requires the use of a different API than pyOpenSSL > is currently using (ie, perhaps you cannot do this with > X509V3_EXT_nconf). So the approach taken to implement extension get/set > may require exploring an alternate API. > > I realize this probably provides more questions than answers, but off > the top of my head it's the best I can do. Perhaps someone on the list > more familiar with the OpenSSL extension APIs can help answer some of > these. I've written a generic read-only API for extensions for Qt (linked below). It supports some extensions directly (eg. basic constraints) but also supports converting the arbitrary ASN.1 structures into nested lists etc. A similar approach could work in python. If there's anything in the code you have questions about feel free to ask. https://codereview.qt-project.org/#change,7976 Cheers Rich. |
|
From: <ex...@tw...> - 2012-08-23 18:29:14
|
On 05:22 pm, phi...@st... wrote: >Hi Jean-Paul, > >It may be possible to get some of this work done. Can you provide some >pointers + any preferences how you would want the relevant OpenSSL >interfaces exposed through Python? Hiya Phil, I'd love to give you some hints on this one. First though, I want to point out that your question is a bit more of a stumper than you might have expected. Though I'm the pyOpenSSL maintainer, I'm far from an expert on all of the OpenSSL APIs. What I *mostly* know is that the OpenSSL APIs are terrible, and generally each in their own unique way. Coming up with an approach to wrap a new OpenSSL API in pyOpenSSL usually involves stumbling around the documentation for a while, hoping to come across a nice looking function, then giving up on that and wandering through the source for a while (sometimes you can even find the implementation of a function), then giving up on that and looking around for other open source applications that do roughly the same kind of thing you think you want to do and reading their source instead. Between those three sources of information, it's sometimes possible to understand what APIs exist to accomplish your goal and how they are used. With a tenuous grip on that material, it's a question of deciding how the behavior could be exposed to Python. Sometimes this is obvious, as in the case of SSL_write. Other times it's obvious but admitting the reality is difficult, as in the case of the PKey APIs where OpenSSL reference counting and CPython reference counting contend with each other, requiring careful multi-library reference counting tricks to avoid double frees and other memory corruption. All of this may sound like a lot of work, and it is. Unfortunately it's hard to come to any sound decisions about what the Python API should look like until a lot of the background work has been done. pyOpenSSL is an extremely leaky abstraction: wherever it diverges very far from the behavior of OpenSSL, things get difficult, so my philosophy since taking over the project has been to avoid any divergence from OpenSSL except those that are unavoidable (and grandfathering in some divergences, such as the class-oriented API). That said (and apologies for that bit of ranting, but I needed to get it out), here are some suggestions I can make with respect to improving the x509 extension support: 1. Some extensions require a X509V3_CTX structure to supply additional configuration/parameters. It may be necessary to represent this structure in Python in order to provide an API which can really create arbitrary extensions (or I could be wrong). 2. X509V3_EXT_nconf seems like an important extension API which pyOpenSSL currently uses as part of the existing extension support, but does not exactly "expose". Many of its features are hidden and unavailable from Python. This might be an area in which to make improvements (or I could be wrong). 3. The current extension API which operates in terms of strings is broken and hides some features of arbitrary extensions. I forget exactly how, though. It is something like "Extension data is treated as a string value, prohibiting the use of any extensions which have non- string data", but perhaps it's extension names that are the problem and not data, or perhaps it's only one of the accessor APIs where this mistake is made, I can't remember, and looking at the code now, I don't understand/remember the OpenSSL APIs well enough to be able to tell. 4. Apparently only extensions with names recognized by OpenSSL are supported now. It looks like you want to specify an extension by its OID, which I presume requires the use of a different API than pyOpenSSL is currently using (ie, perhaps you cannot do this with X509V3_EXT_nconf). So the approach taken to implement extension get/set may require exploring an alternate API. I realize this probably provides more questions than answers, but off the top of my head it's the best I can do. Perhaps someone on the list more familiar with the OpenSSL extension APIs can help answer some of these. Jean-Paul |
|
From: <phi...@st...> - 2012-08-23 17:22:58
|
Hi Jean-Paul, It may be possible to get some of this work done. Can you provide some pointers + any preferences how you would want the relevant OpenSSL interfaces exposed through Python? Thanks, Phil ________________________________________ From: ex...@tw... [ex...@tw...] Sent: 23 August 2012 13:11 To: pyo...@li...; pyo...@li... Subject: Re: [pyOpenSSL] Arbitrary extension to X.509 certificate On 10:39 am, phi...@st... wrote: >Hi all, > >I'd like to find out if pyOpenSSL supports the addition of arbitrary >certificate extensions. I see here that you can add extensions: > >http://stackoverflow.com/questions/7279282/extract-the-value-of-a-x-509 >-certificate-custom-extension-using-pyopenssl As you discovered, only some extensions are supported. To support arbitrary extensions, more "APIs" from OpenSSL will need to be exposed. This is probably possible, and only a matter of someone doing the work. I'm copying pyo...@li... on this reply. Please prefer the Launchpad mailing list for future correspondence. Thanks. Jean-Paul >But if I try this I get: >>>>from OpenSSL import crypto >>>>ext = crypto.X509Extension('1.2.3.4', 0, 'myextension') >Traceback (most recent call last): > File "<stdin>", line 1, in <module> >OpenSSL.crypto.Error: [('X509 V3 routines', 'DO_EXT_NCONF', 'unknown >extension name'), ('X509 V3 routines', 'X509V3_EXT_nconf', 'error in >extension')] > >If it is not currently possible is there some means that the relevant >OpenSSL API calls needed could be exposed through pyOpenSSL? > >Thanks, >Phil ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ pyopenssl-list mailing list pyo...@li... https://lists.sourceforge.net/lists/listinfo/pyopenssl-list -- Scanned by iCritical. |
|
From: <ex...@tw...> - 2012-08-23 12:11:50
|
On 10:39 am, phi...@st... wrote: >Hi all, > >I'd like to find out if pyOpenSSL supports the addition of arbitrary >certificate extensions. I see here that you can add extensions: > >http://stackoverflow.com/questions/7279282/extract-the-value-of-a-x-509 >-certificate-custom-extension-using-pyopenssl As you discovered, only some extensions are supported. To support arbitrary extensions, more "APIs" from OpenSSL will need to be exposed. This is probably possible, and only a matter of someone doing the work. I'm copying pyo...@li... on this reply. Please prefer the Launchpad mailing list for future correspondence. Thanks. Jean-Paul >But if I try this I get: >>>>from OpenSSL import crypto >>>>ext = crypto.X509Extension('1.2.3.4', 0, 'myextension') >Traceback (most recent call last): > File "<stdin>", line 1, in <module> >OpenSSL.crypto.Error: [('X509 V3 routines', 'DO_EXT_NCONF', 'unknown >extension name'), ('X509 V3 routines', 'X509V3_EXT_nconf', 'error in >extension')] > >If it is not currently possible is there some means that the relevant >OpenSSL API calls needed could be exposed through pyOpenSSL? > >Thanks, >Phil |
|
From: <phi...@st...> - 2012-08-23 10:40:31
|
Hi all, I'd like to find out if pyOpenSSL supports the addition of arbitrary certificate extensions. I see here that you can add extensions: http://stackoverflow.com/questions/7279282/extract-the-value-of-a-x-509-certificate-custom-extension-using-pyopenssl But if I try this I get: >>> from OpenSSL import crypto >>> ext = crypto.X509Extension('1.2.3.4', 0, 'myextension') Traceback (most recent call last): File "<stdin>", line 1, in <module> OpenSSL.crypto.Error: [('X509 V3 routines', 'DO_EXT_NCONF', 'unknown extension name'), ('X509 V3 routines', 'X509V3_EXT_nconf', 'error in extension')] If it is not currently possible is there some means that the relevant OpenSSL API calls needed could be exposed through pyOpenSSL? Thanks, Phil -- Scanned by iCritical. |
|
From: Yann L. <as...@la...> - 2012-08-23 09:53:44
|
On 08/22/2012 10:51 PM, Yann Leboulanger wrote: > On 08/22/2012 10:44 PM, ex...@tw... wrote: >> On 07:13 pm, as...@la... wrote: >>> Hi, >>> >>> I'm having problems closing a OpenSSL.SSL.Conection. >> >> Hi Yann, >> >> Perhaps you can explain your goals in a little more detail. "Shutdown" >> unfortunately has several possible meanings in the context of an SSL >> connection. >> >> It could mean you want to perform an orderly SSL protocol shutdown. >> There are two variations of this. You might want to do so without >> shutting down the underlying (TCP?) connection. Or you might want to >> shut down that underlying connection. >> >> Or it could just mean you want to close the connection, either in an >> orderly fashion or otherwise (people tend to be sloppy about closing SSL >> connections, particularly when using SSL for HTTPS). >> >> Shutdown and close are also distinct operations when it comes to the >> underlying TCP connection. You might want to actually close the >> underlying TCP connection, rather than just shutting it down. >> >> So, are any of those close to what you want to do? Please elaborate, >> perhaps providing a short, self-contained, complete (minimal) example in >> doing so (<http://sscce.org/>). >> >> Also, I have copied the Launchpad user list on this reply, as I would >> consider it a great boon if pyOpenSSL eventually completely moved off of >> sourceforge, including no longer using the sourceforge hosted mailing >> list service. > > Hi, > > Thanks for your reply. > > What I want to do is to completly close the socket. > My application opens a socket, transfer things, and once finished I want > to close the socket. > > From what I understand I'm supposed to call shutdown() then close() but > that doesn't work for me :/ > > It's hard for me to provide a small example, because haveing > non-blocking sockets isn't donein 2 lines :/ > After debugging and debugging again, I found that I did SSL over SSL ... And in this case I was not able to shutdown the second SSL connection. Now that my code doesn't do SSL over SSL, I can corecly shutdown() and then close() the connection. [OT] sad that shutdwn() doesn't take an argument like the standads socket. I know it's discussed in bug 900792: https://bugs.launchpad.net/pyopenssl/+bug/900792 Sorry for the noise! -- Yann |
|
From: <ex...@tw...> - 2012-08-22 21:30:34
|
On 07:13 pm, as...@la... wrote: >Hi, > >I'm having problems closing a OpenSSL.SSL.Conection. Hi Yann, Perhaps you can explain your goals in a little more detail. "Shutdown" unfortunately has several possible meanings in the context of an SSL connection. It could mean you want to perform an orderly SSL protocol shutdown. There are two variations of this. You might want to do so without shutting down the underlying (TCP?) connection. Or you might want to shut down that underlying connection. Or it could just mean you want to close the connection, either in an orderly fashion or otherwise (people tend to be sloppy about closing SSL connections, particularly when using SSL for HTTPS). Shutdown and close are also distinct operations when it comes to the underlying TCP connection. You might want to actually close the underlying TCP connection, rather than just shutting it down. So, are any of those close to what you want to do? Please elaborate, perhaps providing a short, self-contained, complete (minimal) example in doing so (<http://sscce.org/>). Also, I have copied the Launchpad user list on this reply, as I would consider it a great boon if pyOpenSSL eventually completely moved off of sourceforge, including no longer using the sourceforge hosted mailing list service. Thanks, Jean-Paul |
|
From: Yann L. <as...@la...> - 2012-08-22 20:51:32
|
On 08/22/2012 10:44 PM, ex...@tw... wrote: > On 07:13 pm, as...@la... wrote: >> Hi, >> >> I'm having problems closing a OpenSSL.SSL.Conection. > > Hi Yann, > > Perhaps you can explain your goals in a little more detail. "Shutdown" > unfortunately has several possible meanings in the context of an SSL > connection. > > It could mean you want to perform an orderly SSL protocol shutdown. > There are two variations of this. You might want to do so without > shutting down the underlying (TCP?) connection. Or you might want to > shut down that underlying connection. > > Or it could just mean you want to close the connection, either in an > orderly fashion or otherwise (people tend to be sloppy about closing SSL > connections, particularly when using SSL for HTTPS). > > Shutdown and close are also distinct operations when it comes to the > underlying TCP connection. You might want to actually close the > underlying TCP connection, rather than just shutting it down. > > So, are any of those close to what you want to do? Please elaborate, > perhaps providing a short, self-contained, complete (minimal) example in > doing so (<http://sscce.org/>). > > Also, I have copied the Launchpad user list on this reply, as I would > consider it a great boon if pyOpenSSL eventually completely moved off of > sourceforge, including no longer using the sourceforge hosted mailing > list service. Hi, Thanks for your reply. What I want to do is to completly close the socket. My application opens a socket, transfer things, and once finished I want to close the socket. From what I understand I'm supposed to call shutdown() then close() but that doesn't work for me :/ It's hard for me to provide a small example, because haveing non-blocking sockets isn't donein 2 lines :/ -- Yann |
|
From: Yann L. <as...@la...> - 2012-08-22 19:29:41
|
Hi,
I'm having problems closing a OpenSSL.SSL.Conection.
I use python-openssl 0.13 from debian
openssl 1.0.1c
and last thing the underlying socket is non-blocking.
I have tried shutdown()
but it tracebacks:
Traceback (most recent call last):
File "<string>", line 1, in <fragment>
OpenSSL.SSL.Error: [('SSL routines', 'SSL_shutdown', 'uninitialized')]
I've tried sock_shutdown() (withou argument even if documentation says
there is one)
no traceback but that doesn't close the socket
I've tried close() (doc says it exists, but it doesn't)
And now I'm out of idea.
someone could point me how I should do that?
Thanks in advance,
--
Yann
|
|
From: Joe O. <jo...@re...> - 2012-08-09 09:30:59
|
Hi, this is patch against the "trusted" branch:
dump_certificate() only works with trusted certs in PEM mode; so throw
an exception if an unsupported argument combination is used.
Regards, Joe
=== modified file 'src/crypto/crypto.c'
--- src/crypto/crypto.c 2010-07-16 15:00:32 +0000
+++ src/crypto/crypto.c 2012-08-09 09:28:28 +0000
@@ -297,6 +297,11 @@
return NULL;
}
+ if (trust && type != X509_FILETYPE_PEM) {
+ PyErr_SetString(PyExc_ValueError, "can only write trusted certs with FILETYPE_PEM");
+ return NULL;
+ }
+
bio = BIO_new(BIO_s_mem());
switch (type)
{
|
|
From: shawn a <bor...@gm...> - 2012-07-31 17:31:49
|
Hello, I need to translate this command: openssl smime -sign -text -signer certificate.pem -inkey key.pem -in file_to_be_signed -out signature -outform DER into python using pyopenssl. Is this possible? thanks, -s.a |
|
From: eGenix T. M.-A. L. <in...@eg...> - 2012-05-16 07:49:20
|
________________________________________________________________________
ANNOUNCING
eGenix.com pyOpenSSL Distribution
Version 0.13.0-1.0.0j
An easy-to-install and easy-to-use distribution
of the pyOpenSSL Python interface for OpenSSL -
available for Windows, Mac OS X and Unix platforms
This announcement is also available on our web-site for online reading:
http://www.egenix.com/company/news/eGenix-pyOpenSSL-Distribution-0.13.0-1.0.0j-1.html
________________________________________________________________________
INTRODUCTION
The eGenix.com pyOpenSSL Distribution includes everything you need to
get started with SSL in Python.
It comes with an easy-to-use installer that includes the most recent
OpenSSL library versions in pre-compiled form, making your application
independent of OS provided OpenSSL libraries:
http://www.egenix.com/products/python/pyOpenSSL/
pyOpenSSL is an open-source Python add-on that allows writing SSL/TLS-
aware network applications as well as certificate management tools:
https://launchpad.net/pyopenssl/
OpenSSL is an open-source implementation of the SSL/TLS protocol:
http://www.openssl.org/
________________________________________________________________________
NEWS
This new release of the eGenix.com pyOpenSSL Distribution updates the
included included OpenSSL version to 1.0.0g.
New features in OpenSSL 1.0.0j since 1.0.0g
-------------------------------------------
OpenSSL 1.0.0j fixes several vulnerabilities relative to 1.0.0g:
http://openssl.org/news/vulnerabilities.html
and includes a number of stability enhancements as well as extra
protection against attacks:
http://openssl.org/news/changelog.html
New features in the eGenix pyOpenSSL Distribution
-------------------------------------------------
* Fixed a compatibility problem with Python 2.7's distutils that
was introduced in Python 2.7.3
As always, we provide binaries that include both pyOpenSSL and the
necessary OpenSSL libraries for all supported platforms:
Windows x86 and x64, Linux x86 and x64, Mac OS X PPC, x86 and x64.
We've also added egg-file distribution versions of our eGenix.com
pyOpenSSL Distribution for Windows, Linux and Mac OS X to the
available download options. These make setups using e.g. zc.buildout
and other egg-file based installers a lot easier.
________________________________________________________________________
DOWNLOADS
The download archives and instructions for installing the package can
be found at:
http://www.egenix.com/products/python/pyOpenSSL/
________________________________________________________________________
UPGRADING
Before installing this version of pyOpenSSL, please make sure that
you uninstall any previously installed pyOpenSSL version. Otherwise,
you could end up not using the included OpenSSL libs.
_______________________________________________________________________
SUPPORT
Commercial support for these packages is available from eGenix.com.
Please see
http://www.egenix.com/services/support/
for details about our support offerings.
________________________________________________________________________
MORE INFORMATION
For more information about the eGenix pyOpenSSL Distributon, licensing
and download instructions, please visit our web-site or write to
sa...@eg....
Enjoy,
--
Marc-Andre Lemburg
eGenix.com
Professional Python Services directly from the Source (#1, May 16 2012)
>>> Python/Zope Consulting and Support ... http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
________________________________________________________________________
2012-07-02: EuroPython 2012, Florence, Italy 47 days to go
2012-04-26: Released mxODBC 3.1.2 http://egenix.com/go28
2012-04-25: Released eGenix mx Base 3.2.4 http://egenix.com/go27
::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
http://www.egenix.com/company/contact/
|
|
From: eGenix T. M.-A. L. <in...@eg...> - 2012-02-24 15:36:59
|
________________________________________________________________________
ANNOUNCING
eGenix.com pyOpenSSL Distribution
Version 0.13.0-1.0.0g
An easy-to-install and easy-to-use distribution
of the pyOpenSSL Python interface for OpenSSL -
available for Windows, Mac OS X and Unix platforms
This announcement is also available on our web-site for online reading:
http://www.egenix.com/company/news/eGenix-pyOpenSSL-Distribution-0.13.0-1.0.0g-1.html
________________________________________________________________________
INTRODUCTION
The eGenix.com pyOpenSSL Distribution includes everything you need to
get started with SSL in Python.
It comes with an easy-to-use installer that includes the most recent
OpenSSL library versions in pre-compiled form, making your application
independent of OS provided OpenSSL libraries:
http://www.egenix.com/products/python/pyOpenSSL/
pyOpenSSL is an open-source Python add-on that allows writing SSL/TLS-
aware network applications as well as certificate management tools:
https://launchpad.net/pyopenssl/
OpenSSL is an open-source implementation of the SSL/TLS protocol:
http://www.openssl.org/
________________________________________________________________________
NEWS
This new release of the eGenix.com pyOpenSSL Distribution updates the
included pyOpenSSL version to 0.13.0 and the included OpenSSL version
to 1.0.0g.
Main new features in pyOpenSSL sine 0.10.0
------------------------------------------
* pyOpenSSL 0.11 fixes a few bugs related to error processing;
see https://launchpad.net/pyopenssl/+announcement/7128
* pyOpenSSL 0.12 fixes interaction with memoryviews, adds TLS
callbacks and x509 extension introspection;
see https://launchpad.net/pyopenssl/+announcement/8151
* pyOpenSSL 0.13 adds OpenSSL 1.0 support (which eGenix
contributed) and a few new APIs;
see https://lists.launchpad.net/pyopenssl-users/msg00008.html
Please see Jean-Paul Calderone's above announcements for more details.
New features in OpenSSL 1.0.0g since 1.0.0a
-------------------------------------------
OpenSSL 1.0.0g fixes several vulnerabilities relative to 1.0.0a:
http://openssl.org/news/vulnerabilities.html
and includes a number of stability enhancements as well as extra
protection against attacks:
http://openssl.org/news/changelog.html
New features in the eGenix pyOpenSSL Distribution
-------------------------------------------------
* Updated the pyOpenSSL license information from LGPL to
Apache License 2.0.
* Added support for Python 2.7 on all platforms.
* Added documentation for automatic download of egg distributions
using compatible tools such as easy_install and zc.buildout.
As always, we provide binaries that include both pyOpenSSL and the
necessary OpenSSL libraries for all supported platforms:
Windows x86 and x64, Linux x86 and x64, Mac OS X PPC, x86 and x64.
We've also added egg-file distribution versions of our eGenix.com
pyOpenSSL Distribution for Windows, Linux and Mac OS X to the
available download options. These make setups using e.g. zc.buildout
and other egg-file based installers a lot easier.
________________________________________________________________________
DOWNLOADS
The download archives and instructions for installing the package can
be found at:
http://www.egenix.com/products/python/pyOpenSSL/
________________________________________________________________________
UPGRADING
Before installing this version of pyOpenSSL, please make sure that
you uninstall any previously installed pyOpenSSL version. Otherwise,
you could end up not using the included OpenSSL libs.
_______________________________________________________________________
SUPPORT
Commercial support for these packages is available from eGenix.com.
Please see
http://www.egenix.com/services/support/
for details about our support offerings.
________________________________________________________________________
MORE INFORMATION
For more information about the eGenix pyOpenSSL Distributon, licensing
and download instructions, please visit our web-site or write to
sa...@eg....
Enjoy,
--
Marc-Andre Lemburg
eGenix.com
Professional Python Services directly from the Source (#1, Feb 13 2012)
>>> Python/Zope Consulting and Support ... http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
________________________________________________________________________
::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
http://www.egenix.com/company/contact/
|
|
From: Phil M. <p.m...@im...> - 2011-11-26 09:17:41
|
On 11/25/2011 09:34 PM, Glyph Lefkowitz wrote: >> Anyway .. will move to M2Crypto. > > Rather than fixing, or even reporting, this one bug in pyopenssl? I have opened https://bugs.launchpad.net/pyopenssl/+bug/896526 ...so it doesn't get forgotten. |
|
From: Tobias O. <tob...@ta...> - 2011-11-26 06:37:28
|
> >>> However, > >>> > >>> PKey.generate_key > >>> > >>> still seems to block everything. > >>> > >>> Does above function lock the GIL? > >> > >> Other way round. The GIL is held unless you explicitly release it, > >> which the current source code for that function does not seem to: > >> > >> > http://bazaar.launchpad.net/~exarkun/pyopenssl/trunk/view/head:/OpenS > >> SL/crypto/pkey.c#L39 > >> > >> So AFAICT yes, it will block forever. > >> > >> Perhaps you could shell out to "openssl rsa" in a subprocess. Not > >> ideal, but it won't require source code changes. > > > > Thanks for clarifying. > > > > Unfortunately, I am also missing other stuff (like dump pub key from cert > to verify that cert imported actually is for a given priv key). > > > > So I checked out M2Crypto. > > > > It seems to release the GIL during key generation .. > > > > The API is ... creative. IOW: it sucks. But I guess thats because it's a SWIG > generated OpenSSL wrapper. > > > > Anyway .. will move to M2Crypto. > > Rather than fixing, or even reporting, this one bug in pyopenssl? It's 2 "bugs": GIL + no dump_publickey (or something similar whichlets me do above). I'll factor our code and maybe come back to this .. bit of time pressure right now. |
|
From: Glyph L. <gl...@tw...> - 2011-11-25 21:34:51
|
On Nov 25, 2011, at 12:13 PM, Tobias Oberstein <tob...@ta...> wrote: >>> However, >>> >>> PKey.generate_key >>> >>> still seems to block everything. >>> >>> Does above function lock the GIL? >> >> Other way round. The GIL is held unless you explicitly release it, which the >> current source code for that function does not seem to: >> >> http://bazaar.launchpad.net/~exarkun/pyopenssl/trunk/view/head:/OpenS >> SL/crypto/pkey.c#L39 >> >> So AFAICT yes, it will block forever. >> >> Perhaps you could shell out to "openssl rsa" in a subprocess. Not ideal, but it >> won't require source code changes. > > Thanks for clarifying. > > Unfortunately, I am also missing other stuff (like dump pub key from cert to verify that cert imported actually is for a given priv key). > > So I checked out M2Crypto. > > It seems to release the GIL during key generation .. > > The API is ... creative. IOW: it sucks. But I guess thats because it's a SWIG generated OpenSSL wrapper. > > Anyway .. will move to M2Crypto. Rather than fixing, or even reporting, this one bug in pyopenssl? |
|
From: Tobias O. <tob...@ta...> - 2011-11-25 17:13:24
|
> > However, > > > > PKey.generate_key > > > > still seems to block everything. > > > > Does above function lock the GIL? > > Other way round. The GIL is held unless you explicitly release it, which the > current source code for that function does not seem to: > > http://bazaar.launchpad.net/~exarkun/pyopenssl/trunk/view/head:/OpenS > SL/crypto/pkey.c#L39 > > So AFAICT yes, it will block forever. > > Perhaps you could shell out to "openssl rsa" in a subprocess. Not ideal, but it > won't require source code changes. Thanks for clarifying. Unfortunately, I am also missing other stuff (like dump pub key from cert to verify that cert imported actually is for a given priv key). So I checked out M2Crypto. It seems to release the GIL during key generation .. The API is ... creative. IOW: it sucks. But I guess thats because it's a SWIG generated OpenSSL wrapper. Anyway .. will move to M2Crypto. |
|
From: Phil M. <p.m...@im...> - 2011-11-25 14:01:24
|
On 25/11/11 13:12, Tobias Oberstein wrote: > I am using PyOpenSSL from within Twisted and want to generate new keys without blocking the Twisted networking. > > To do so, I use the deferToThread() Twisted feature, which runs functions on a thread from a background thread pool. > > However, > > PKey.generate_key > > still seems to block everything. > > Does above function lock the GIL? Other way round. The GIL is held unless you explicitly release it, which the current source code for that function does not seem to: http://bazaar.launchpad.net/~exarkun/pyopenssl/trunk/view/head:/OpenSSL/crypto/pkey.c#L39 So AFAICT yes, it will block forever. Perhaps you could shell out to "openssl rsa" in a subprocess. Not ideal, but it won't require source code changes. |
5 messages has been excluded from this view by a project administrator.
