[PATCH] Re: Implement SSL certificate checking

[Johannes Stezenbach]

On Tue, Dec 14, 2010 at 08:16:32PM -0600, Sebastian Spaeth wrote:
> On Tue, 14 Dec 2010 21:34:54 +0100, Johannes Stezenbach <js at sig21.net> wrote:
> > FWIW, certificate validation is sadly insufficient, that's why
> > I'm advocating the ssh-style fingerprint check.
> > It's the same with webbrowsers, you can read a bit
> > about it here:
> > http://patrol.psyced.org/
> 
> Well, that doesn't apply here, as we currently need to specify a
> specific certificate file that the server is checked against. So it is a
> quite different situation from web browsers.

That is not true.  Read the documentation:
http://docs.python.org/release/2.6.6/library/ssl.html

  the ca_certs parameter must point to a file of CA certificates.

  The ca_certs file contains a set of concatenated “certification authority”
  certificates, which are used to validate certificates passed from the other
  end of the connection

Do you realize that there is a difference between a CA certificate
and a server certificate?

The usual and intended usage of ca_certs is to point to the
database of all trusted CA certificates, in Debian
/etc/ssl/certs/ca-certificates.crt (which can be
configured using "dpkg-reconfigure ca-certificates").

But even if you have only one cert in your ca_certs file
it is still a CA cert and not the server cert.

> That having said, I would love to get that certificate from the server
> and just have it be remembered, like mutt does. I have no clue how that
> would be done though.

I suppose SSLSocket.getpeercert(binary_form=True).
You can use ssl.DER_cert_to_PEM_cert() to convert it to ASCII
for storing it into a file (better avoid to store the
binary DER certificate).

The fingerprint is the MD5 or SHA1 on the binary DER.
It should be the same as the output of
  openssl x509 -noout -sha1 -fingerprint -in cert.in
  openssl x509 -noout -md5 -fingerprint -in cert.in


HTH
Johannes