Skip to main content

Service identity verification for pyOpenSSL.

Project description

https://travis-ci.org/hynek/service_identity.png?branch=master https://coveralls.io/repos/hynek/service_identity/badge.png

WARNING

This software is currently alpha and under review. Use it at your own peril.

Any part is subject to change, but feedback is very welcome!

Pitch

service_identity aspires to give you all the tools you need for verifying whether a certificate is valid for the intended purposes.

In the simplest case, this means host name verification. However, service_identity implements RFC 6125 fully and plans to add other relevant RFCs too.

Features

Present

  • dNSName with fallback to CN (DNS-ID, aka host names, RFC 6125).
  • uniformResourceIdentifier (URI-ID, RFC 6125).
  • SRV-ID (RFC 6125)

Future

Usage

Verify a Hostname

The simplest, most common, and most important usage:

from __future__ import absolute_import, division, print_function

import socket

from OpenSSL import SSL
from service_identity import VerificationError
from service_identity.pyopenssl import verify_hostname


ctx = SSL.Context(SSL.SSLv23_METHOD)
ctx.set_verify(SSL.VERIFY_PEER, lambda conn, cert, errno, depth, ok: ok)
ctx.set_default_verify_paths()

hostname = u"twistedmatrix.com"
conn = SSL.Connection(ctx, socket.socket(socket.AF_INET, socket.SOCK_STREAM))
conn.connect((hostname, 443))

try:
    conn.do_handshake()
    verify_hostname(conn, hostname)
    # Do your super-secure stuff here.
except SSL.Error as e:
    print("TLS Handshake failed: {0!r}.".format(e.args[0]))
except VerificationError:
    print("Presented certificate is not valid for {0}.".format(hostname))
finally:
    conn.shutdown()
    conn.close()

Requirements

Python 2.6, 2.7, 3.2, 3.3, and 3.4 as well as PyPy are supported.

Additionally, the following PyPI modules are required:

Optionally, idna can be used for internationalized domain names (IDN), aka non-ASCII domains. Please note, that idna is not available for Python 3.2 and is required because Python’s stdlib support is outdated.

History

0.2.0 (2014-04-06)

This release contains multiple backward-incompatible changes.

  • Refactor into a multi-module package. Most notably, verify_hostname and extract_ids live in the service_identity.pyopenssl module now.
  • verify_hostname now takes an OpenSSL.SSL.Connection for the first argument.
  • Less false positives in IP address detection.
  • Officially support Python 3.4 too.
  • More strict checks for URI_IDs.

0.1.0 (2014-03-03)

  • Initial release.

Authors

service_identity is currently maintained by Hynek Schlawack.

If you think you’ve found a security-relevant bug, please contact me privately and ideally encrypt your message using PGP. I will then work with you on a responsible resolution. You can find my contact information and PGP data on my homepage.

Contributors

The following wonderful people contributed directly or indirectly to this project:

Please add yourself here alphabetically when you submit your first pull request.

Project details


Release history Release notifications

History Node

17.0.0

History Node

16.0.0

History Node

14.0.0

History Node

1.0.0

This version
History Node

0.2

History Node

0.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Filename, size & hash SHA256 hash help File type Python version Upload date
service_identity-0.2-py2.py3-none-any.whl (12.9 kB) Copy SHA256 hash SHA256 Wheel 2.7 Apr 6, 2014
service_identity-0.2.tar.gz (21.4 kB) Copy SHA256 hash SHA256 Source None Apr 7, 2014

Supported by

Elastic Elastic Search Pingdom Pingdom Monitoring Google Google BigQuery Sentry Sentry Error logging CloudAMQP CloudAMQP RabbitMQ AWS AWS Cloud computing Fastly Fastly CDN DigiCert DigiCert EV certificate StatusPage StatusPage Status page