Reputation: 11296
How to add OCSP support into Python requests library?
Is there any way to implement OCSP checking with the requests library ?
The only feasible way I see now is using pyOpenSSL, however this means having to establish a separate independent connection to the server to get the certificate and then connect to the issuer to verify it.
And then, are there any such implementations out there ? Did you already solve it and care to report about it ?
M2Crypto also looks like to be a candidate for SSL connections at least, however I'm not sure about possible drawbacks with that library, but it looks more low-level than requests for sure.
Side note:
Apparently Python really sucks when it comes to more sophisticated HTTP/HTTPS connections.
urllib does not even check SSL/TLS certificates while requests comes with its own collection of CA certificates (rather than using the system's CAs) and does not seem to support proxy configuration via PAC.
Heck, I even tried using Qt's HTTP stack (which uses OS settings) but ran into a stalling issue with multiple concurrent connections.
Upvotes: 1
Views: 3447
Answers (2)
Reputation: 101
Actually OpenSSL do have support for OCSP. I was actually able to have a open socket with SSL.Connection but then, my problem is to have an actual HTTP connection over that socket.
I don't know if this helps Actually OpenSSL do have support for OCSP. I was actually able to have a open socket with SSL.Connection but then, my problem is to have an actual HTTP connection over that socket.
With the following code you can open a ocsp connection and perform the whole ocsp handshake. The next step is creating an http connection from it
ssl_context = Context(tls_method)
ssl_context.use_certificate_file(clientcert)
ssl_context.use_privatekey_file(clientkey)
ssl_context.load_verify_locations(cafile=None, capath=trusted_ca)
ssl_context.set_verify(VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT |VERIFY_CLIENT_ONCE, callback=self.verify_callback)
ssl_context.set_ocsp_client_callback(
callback=self.ocsp_callback, data=None)
tcp_conn = socket.create_connection((host, port))
ssl_conn = Connection(ssl_context, tcp_conn)
ssl_conn.set_tlsext_host_name(host.encode())
ssl_conn.request_ocsp()
ssl_conn.set_connect_state()
ssl_conn.do_handshake()
Upvotes: 1
Reputation: 123521
From a short look at pyOpenSSL and M2Crypto I doubt that they provide the necessary functionality for OCSP verification and I cannot see any serious attempts to implement such thing for python, see also http://www.gossamer-threads.com/lists/python/bugs/1092384.
Implementing OCSP is definitely not an easy thing. The OpenSSL API is undocumented and you have to extract the necessary parts from the source code. Then you have to try to put them together and make an interface out of it, which is actually usable by an end-user.
Apparently Python really sucks when it comes to more sophisticated HTTP/HTTPS connections.
It's not only python. If you look at tools and programming languages lots of them fail in the basic tasks of verifying certificate properly, that is check against CA and do not forget to check names inside certificate against the given host name. And most of them either don't do OCSP or provide only an OpenSSL like API which is not really usable in a simple way.
Upvotes: 2
Related Questions
- Python Requests - How to use system ca-certificates (debian/ubuntu)?
- How to change the 'cafile' argument in the ssl module in Python3?
- Python SSL Certificate Error using request
- Python requests configuration within external libraries
- Python3:requests module headers
- using self-signed certificates with requests in python
- Mocking python HTTP request with an Oauth1 certificate
- Importing Request library in Python
- Requests with python 3.3
- OCSP libraries for python / java / c?