How do I validate the SSL server certificates in my twisted SSL client?
I am very much beginner to the SSL, I have gone through the twisted SSL tutorials but still I am unclear about some things.
My queries are:
How should I validate the SSL server certificate using twisted.internet.ssl
module,
How ssl.ClientContextFactory.getContext
method is useful while dealing with SSL,
How can I tell twisted SSL client about the location of the public key file?
Since Twisted 14.0, optionsForClientTLS
is the best way to do this:
from twisted.internet.ssl import optionsForClientTLS
from twisted.internet.endpoints import SSL4ClientEndpoint
ctx = optionsForClientTLS(hostname=u"example.com")
endpoint = SSL4ClientEndpoint(reactor, host, port, ctx)
factory = ...
d = endpoint.connect(factory)
...
optionsForClientTLS
takes other (optional) arguments as well which may also be useful.
Prior to Twisted 14.0, the process was a bit more involved:
After the connection is established and the SSL handshake has completed successfully (which means the certificate is currently valid based on its notBefore
and notAfter
values and that it is signed by a certificate authority certificate which you have indicated is trusted) you can get the certificate from the transport:
certificate = self.transport.getPeerCertificate()
The certificate is represented as a pyOpenSSL X509 instance. It has a method you can use to retrieve the certificate's subject name:
subject_name = certificate.get_subject()
The subject name is a distinguished name, represented as a pyOpenSSL X509Name instance. You can inspect its fields:
common_name = subject_name.commonName
This is a string, for example "example.com"
.
If you need to inspect the subjectAltName
instead (which it's likely you do), then you can find this information in the extensions of the certificate:
extensions = certificate.get_extensions()
This is a list of pyOpenSSL X509Extension instances. You'll have to parse each one to find the subjectAltName
and its value.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.