Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Problem with getpeercert in the ssl module when retrieving client side certs #52901

Closed
WestlyWard mannequin opened this issue May 7, 2010 · 4 comments
Closed

Problem with getpeercert in the ssl module when retrieving client side certs #52901

WestlyWard mannequin opened this issue May 7, 2010 · 4 comments
Labels
stdlib Python modules in the Lib dir

Comments

@WestlyWard
Copy link
Mannequin

WestlyWard mannequin commented May 7, 2010

BPO 8655
Nosy @pitrou
Files
  • ssltest.tar.gz: Example script and associated files
  • ssltest.tar.gz
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
closed_at = <Date 2010-09-08.23:57:51.310>
created_at = <Date 2010-05-07.20:49:51.807>
labels = ['invalid', 'library']
title = 'Problem with getpeercert in the ssl module when retrieving client side certs'
updated_at = <Date 2010-09-08.23:57:51.309>
user = 'https://bugs.python.org/WestlyWard'

    bugs.python.org fields:

    activity = <Date 2010-09-08.23:57:51.309>
actor = 'pitrou'
assignee = 'none'
closed = True
closed_date = <Date 2010-09-08.23:57:51.310>
closer = 'pitrou'
components = ['Library (Lib)']
creation = <Date 2010-05-07.20:49:51.807>
creator = 'Westly.Ward'
dependencies = []
files = ['17249', '17250']
hgrepos = []
issue_num = 8655
keywords = []
message_count = 4.0
messages = ['105227', '105229', '105230', '105236']
nosy_count = 3.0
nosy_names = ['janssen', 'pitrou', 'Westly.Ward']
pr_nums = []
priority = 'normal'
resolution = 'not a bug'
stage = None
status = 'closed'
superseder = None
type = None
url = 'https://bugs.python.org/issue8655'
versions = ['Python 2.6']
    @WestlyWard
    Copy link
    Mannequin Author

    WestlyWard mannequin commented May 7, 2010

    I originally had this problem when writing my IRCd, but then tested it in a basic script. The problem is that getpeercert() is always returning None when executed on the server side, even when the client is using an ssl cert. I have included an example in the attachment. Just run sslserver.py in one terminal window, and then run sslclient.py in the other. I also included the two fresh ssl certs and keys I used. In client.txt and server.txt I put the commands I used to generate the ssl certs and keys.

    @WestlyWard WestlyWard mannequin added the stdlib Python modules in the Lib dir label May 7, 2010
    @pitrou
    Copy link
    Member

    pitrou commented May 7, 2010

    You must use either ssl.CERT_OPTIONAL or ssl.CERT_REQUIRED if you want to retrieve the client certificate. I admit this makes the getpeercert() API a bit strange, and I'm not sure why the original decision was made.

    Can you confirm this fixes your issue?

    @pitrou pitrou added the invalid label May 7, 2010
    @WestlyWard
    Copy link
    Mannequin Author

    WestlyWard mannequin commented May 7, 2010

    When I use the argument to make certs optional, it gave me an error saying it need the ca certs, so I downloaded them and specified to use them, and now I am getting errors from ssl.c

    Here's the error on the server side:

    westly@westly-desktop ~/Desktop/ssltest $ python sslserver.py 
Traceback (most recent call last):
  File "sslserver.py", line 8, in <module>
    conn, addr, = a.accept()
  File "/usr/lib/python2.6/ssl.py", line 326, in accept
    suppress_ragged_eofs=self.suppress_ragged_eofs),
  File "/usr/lib/python2.6/ssl.py", line 118, in __init__
    self.do_handshake()
  File "/usr/lib/python2.6/ssl.py", line 293, in do_handshake
    self._sslobj.do_handshake()
SSLError: [Errno 1] _ssl.c:480: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

    Here's the error on the client side:

    westly@westly-desktop ~/Desktop/ssltest $ python sslclient.py 
Traceback (most recent call last):
  File "sslclient.py", line 4, in <module>
    a.connect(("127.0.0.1", 112233))
  File "/usr/lib/python2.6/ssl.py", line 309, in connect
    self.do_handshake()
  File "/usr/lib/python2.6/ssl.py", line 293, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [Errno 1] _ssl.c:480: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

    I got the ca certs from http://www.positivessl.com/ssl-certificate-support/cert_installation/UTN-USERFirst-Hardware.crt which is from a link the the ssl module docs.

    I have attached the modified scripts.

    @pitrou
    Copy link
    Member

    pitrou commented May 7, 2010

    When I use the argument to make certs optional, it gave me an error
    saying it need the ca certs, so I downloaded them and specified to use
    them, and now I am getting errors from ssl.c

    You have to specify the CA cert corresponding to the Certificate
    Authority (CA) who has signed your certificate.
    A CA can be a company such as Verisign, etc.

    However, in this case, you have self-signed the certificate; so the only
    "CA cert" you can specify is the client certificate itself. If you
    specify "client.crt" as the ca_certs argument, you'll see that it works.

    @pitrou pitrou closed this as completed Sep 8, 2010
    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees
    No one assigned
    Labels
    stdlib Python modules in the Lib dir
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    1 participant
    @pitrou