0

I have been given the following code that should perform an ssl handshake and certificate authentication:

1   s = socket.socket()
2   print "connecting..."
3   logging.debug("Connecting")
4   # Connect with SSL mutual authentication
5   # We only trust our server's CA, and it only trusts user certificates signed by it
6   c = ssl.wrap_socket(s, cert_reqs=ssl.CERT_REQUIRED,
7                       ssl_version=ssl.PROTOCOL_SSLv3, ca_certs='ca.crt',
8                       certfile='user.crt', keyfile='user.key')
9   c.connect((constants.server_addr, constants.port))

I have 2 questions about this:

  1. where do we specify the server/port to which we are connecting? are these arguments to socket.socket()?
  2. I have a .p12 from which I extracted a cert and a key in pem format(see this question), and I assume that these correspond to user.crt and user.key (line 8), respectively. However, while I assume that ca.crt (line 7) is retrived from the certificate authority, how to I retrieve it?

If any part of the above code or my assumptions about it are incorrect, please let me know. Thanks!

Community
  • 1
  • 1
ewok
  • 20,148
  • 51
  • 149
  • 254
  • Actually -- PKCS#12 files (your `.p12` file) can, and typically _do_, contain the relevant CA certificate as well. – Charles Duffy May 17 '12 at 16:19
  • 1
    @CharlesDuffy, your own PKCS#12 file is likely to contain your own certificate's chain, but not the servers (unless they are the same, which isn't necessarily the case). – Bruno May 17 '12 at 16:50
  • @CharlesDuffy how would I retrieve the CA cert from the p12? – ewok May 17 '12 at 17:06
  • @Bruno Fair enough -- I was presuming a private (ie. corporate) CA used for both ends here. – Charles Duffy May 17 '12 at 20:10
  • @ewok see `man pkcs12` -- particularly `-cacerts` in conjunction with `-out`. That said, Bruno's warning applies -- the client and server certificates may or may not be signed by the same CA. – Charles Duffy May 17 '12 at 20:11

1 Answers1

2

  1. Server address and port are specified as part of the socket address in line 9, specified as the parameter to connect.

  2. Generally, you've acquired the CA certificate via some out-of-band method, then saved it locally. Linux systems generally have a bundle of certificates for well-known, trusted CAs available under /etc/ssl/certs or similar.

Mattie
  • 20,280
  • 7
  • 36
  • 54
  • the code is being run on Windows. any idea where it would be stored there? would it be retrievable through security exceptions saved in firefox? – ewok May 17 '12 at 17:02
  • You can export the CA certificates from Firefox, sure, if you know which CA signed the server's certificate. Use PEM format for use with the `ssl` library (see http://docs.python.org/library/ssl.html#certificates). But if the server was not signed by one of those CAs, you will want to ask the organization that runs the server about getting a certificate. – Mattie May 17 '12 at 19:36