0

I have been given the following code that should perform an ssl handshake and certificate authentication:

1   s = socket.socket()
2   print "connecting..."
3   logging.debug("Connecting")
4   # Connect with SSL mutual authentication
5   # We only trust our server's CA, and it only trusts user certificates signed by it
6   c = ssl.wrap_socket(s, cert_reqs=ssl.CERT_REQUIRED,
7                       ssl_version=ssl.PROTOCOL_SSLv3, ca_certs='ca.crt',
8                       certfile='user.crt', keyfile='user.key')
9   c.connect((constants.server_addr, constants.port))

I have 2 questions about this:

  1. where do we specify the server/port to which we are connecting? are these arguments to socket.socket()?
  2. I have a .p12 from which I extracted a cert and a key in pem format(see this question), and I assume that these correspond to user.crt and user.key (line 8), respectively. However, while I assume that ca.crt (line 7) is retrived from the certificate authority, how to I retrieve it?

If any part of the above code or my assumptions about it are incorrect, please let me know. Thanks!

Improve this question
5
  • Actually -- PKCS#12 files (your .p12 file) can, and typically do, contain the relevant CA certificate as well. Commented May 17, 2012 at 16:19
  • 1
    @CharlesDuffy, your own PKCS#12 file is likely to contain your own certificate's chain, but not the servers (unless they are the same, which isn't necessarily the case). Commented May 17, 2012 at 16:50
  • @CharlesDuffy how would I retrieve the CA cert from the p12? Commented May 17, 2012 at 17:06
  • @Bruno Fair enough -- I was presuming a private (ie. corporate) CA used for both ends here. Commented May 17, 2012 at 20:10
  • @ewok see man pkcs12 -- particularly -cacerts in conjunction with -out. That said, Bruno's warning applies -- the client and server certificates may or may not be signed by the same CA. Commented May 17, 2012 at 20:11

1 Answer 1

Reset to default
2

  1. Server address and port are specified as part of the socket address in line 9, specified as the parameter to connect.

  2. Generally, you've acquired the CA certificate via some out-of-band method, then saved it locally. Linux systems generally have a bundle of certificates for well-known, trusted CAs available under /etc/ssl/certs or similar.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

the code is being run on Windows. any idea where it would be stored there? would it be retrievable through security exceptions saved in firefox?
You can export the CA certificates from Firefox, sure, if you know which CA signed the server's certificate. Use PEM format for use with the ssl library (see docs.python.org/library/ssl.html#certificates). But if the server was not signed by one of those CAs, you will want to ask the organization that runs the server about getting a certificate.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.