Problem with get_peer_cert_chain()

Asked by Ryan on 2012-10-03

Hi,

I am seeing an issue with the method get_peer_cert_chain, or I am just not familiar enough with the intent of the method.

When using it on google.com:443, for example, I am only presented with the server certificate and intermediate (Thawte). The root from Verisign is not included in the returning list. The list count is also only 2, confirming that only 2 certs were returned.

Is this intended for this method, something wrong, or perhaps I misused it?

Thanks for any help,

Ryan

Question information

Language:
English Edit question
Status:
Solved
For:
pyOpenSSL Edit question
Assignee:
No assignee Edit question
Solved by:
Shane Hansen
Solved:
2012-10-10
Last query:
2012-10-10
Last reply:
2012-10-09
Shane Hansen (shanemhansen) said : #1

I believe this is the intended behaviour.
If Verisign is a trusted root CA, then it's not necessarily sent
in the request.

Your client gets all the certificates google is presenting, you can verify this by:
openssl s_client -showcerts -connect www.google.com:443

exarkun: correct me if I'm wrong, but the easiest way to see the verisign root cat is to use the Context.set_verify_callback This callback get's called for every certificate in the chain formed from
your local trusted certificates all the way up to google's cert.

http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
http://pyopenssl.sourceforge.net/pyOpenSSL.txt

Which will

Ryan (rclark27604) said : #2

Hi Shane,

Thanks for your reply.
Any tips for how this callback could be used, or an example?
I notice in the documents that it can just be used to flag a request for client auth.

Thanks.

Shane Hansen (shanemhansen) said : #3

Hi Ryan,
I was actually going to write you a little example, but there's already one
contained in the pyopenssl distribution.
I've reproduced the file for you here: https://gist.github.com/3853468
verify_cb is called once for each certificate in the chain.

On Mon, Oct 8, 2012 at 7:41 AM, Ryan
<email address hidden>wrote:

> Question #210261 on pyOpenSSL changed:
> https://answers.launchpad.net/pyopenssl/+question/210261
>
> Ryan posted a new comment:
> Hi Shane,
>
> Thanks for your reply.
> Any tips for how this callback could be used, or an example?
> I notice in the documents that it can just be used to flag a request for
> client auth.
>
> Thanks.
>
> --
> You received this question notification because you are a direct
> subscriber of the question.
>

Ryan (rclark27604) said : #4

Forgive my rookie-ness, but I'm having a bit of trouble relating this example to what I need. I'm confused.

Where would it specify the get_peer_cert_chain() call? It looks very low-level I/O compared to what I am doing.

In my script, I am setting up a proxy (since I go through one), create the context object, then the connection (using the context). Then I am able to use connection.get_peer_cert_chain(), or get_peer_certificate() to get the cert object.

        context = OpenSSL.SSL.Context(OpenSSL.SSL.TLSv1_METHOD)
        connection = OpenSSL.SSL.Connection(context, s) <-- where 's' is my proxy socket
        connection.set_connect_state()
        cert = connection.get_peer_cert_chain()

In the linked example, the set_verify is calling upon verify_cb where it initializes values that aren't used. It seems to already have the cert object as well, and gets the certificate subject in it. I guess I'm lost at this section of the example of what's going on.

The example also seems to have client certs to authenticate with, where I am not using any client authentication.

Best Shane Hansen (shanemhansen) said : #5

I've modified the example to just pull the certificates from google.com.
https://gist.github.com/3853468
usage: python client.py www.google.com 443

The important pieces here are:
1) call set_verify with SSL.VERIFY_PEER. This is what triggers the verify callback
2) verify_cb will be called once for each certificate in the chain.

I hope this helps. In a "real world" example, you would definitely want to call ctx.load_verify_locations and load some trusted CA's instead of just returning 1 from verify_cb, but I wanted to keep this example as small as possible.

Ryan (rclark27604) said : #6

Thanks for all of your help Shane. I was able to get it working!

Ryan (rclark27604) said : #7

Thanks Shane Hansen, that solved my question.