28 Aug 13:24
https & invalid certs
From: Dirk Vleugels <dvl <at> 2scale.net>
Subject: https & invalid certs
Newsgroups: gmane.comp.lang.jython.user
Date: 2008-08-28 11:28:26 GMT
Subject: https & invalid certs
Newsgroups: gmane.comp.lang.jython.user
Date: 2008-08-28 11:28:26 GMT
Hi,
i'm able to connect to SSL sockets issuing selfsigned or just plain
invalid certs by using code like this:
class TrustManager(javax.net.ssl.X509TrustManager):
def checkClientTrusted(self,chain,authtype):
pass
def checkServerTrusted(self,chain,authtype):
pass
def getAcceptedIssuers(self):
None
class HostnameVerifier(javax.net.ssl.HostnameVerifier):
def verify(self,hostname,ssl_session):
true
def setupSSLFactory():
sc = javax.net.ssl.SSLContext.getInstance("SSLv3")
sc.init(None,array([TrustManager()], TrustManager),None)
urlConn=javax.net.ssl.HttpsURLConnection
urlConn.setDefaultSSLSocketFactory(sc.getSocketFactory())
urlConn.setDefaultHostnameVerifier(HostnameVerifier())
setupSSLFactory()
url=java.net.URL("https://domain-with-wrong-cert.com")
[..............]
But i have to fallback to java.net.URL, using urlib2 the connect
throws a exception like:
javax.net.ssl.SSLHandshakeException:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation
failed: java.security.cert.CertPathValidatorException: timestamp check
failed
I guess socket.ssl ignores the overwritten trust & hostname verifiers somehow.
Is there any way to fix this without hacking around in socket.ssl?
Importing all server certs locally is not feasible.
Regards,
Dirk
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
RSS Feed