Prevent the use of OpenSSL system certificates?

Question

Prevent the use of OpenSSL system certificates?

How can I prevent OpenSSL (specifically the Python module ssl) from using system certificates?

In other words, I would like him to trust only the certification authorities, and I said nothing:

ssl_socket = ssl.wrap_socket(newsocket, server_side=True, certfile="my_cert.pem",
                             ca_certs=MY_TRUSTED_CAs, # <<< Only CAs specified here
                             cert_reqs=ssl.CERT_REQUIRED, ssl_version=ssl.PROTOCOL_TLSv1)

+3

python ssl openssl

David wolever Oct 23 '10 at 22:59

source share

1 answer

Bruno · Answer 1 · 2010-10-25T16:32:59+0000

I just checked a few tests, and listing your choice of CA in the options ca_certsis exactly what you need.

The system I tried this with is Linux with Python 2.6. If you are not using ca_certs, this does not allow you to use cert_reqs=ssl.CERT_REQUIRED:

Traceback (most recent call last):
  File "sockettest.py", line 18, in <module>
    cert_reqs=ssl.CERT_REQUIRED, ssl_version=ssl.PROTOCOL_TLSv1)
  File "/usr/lib/python2.6/ssl.py", line 350, in wrap_socket
    suppress_ragged_eofs=suppress_ragged_eofs)
  File "/usr/lib/python2.6/ssl.py", line 113, in __init__
    cert_reqs, ssl_version, ca_certs)
ssl.SSLError: _ssl.c:317: No root certificates specified for verification of other-side certificates.

, CA ca_certs, ssl_error_unknown_ca_alert ( ).

, CA- - ( certificate_authorities CertificateRequest TLS), . , .

Prevent the use of OpenSSL system certificates?

More articles: