API¶
Note
The APIs for RFC 6125 verification beyond DNS-IDs (i.e. hostnames) aren’t public yet.
They are in place and used by the documented high-level APIs though.
Eventually they will become public.
If you’d like to play with them and provide feedback have a look at the verify_service_identity
function in the _common module.
pyOpenSSL¶
-
service_identity.pyopenssl.
verify_hostname
(connection, hostname)¶ Verify whether the certificate of connection is valid for hostname.
Parameters: - connection (OpenSSL.SSL.Connection) – A pyOpenSSL connection object.
- hostname (unicode) – The hostname that connection should be connected to.
Raises: - service_identity.VerificationError – If connection does not provide a certificate that is valid for hostname.
- service_identity.CertificateError – If the certificate chain of connection contains a certificate that contains invalid/unexpected data.
Returns: None
In practice, this may look like the following:
from __future__ import absolute_import, division, print_function import socket from OpenSSL import SSL from service_identity import VerificationError from service_identity.pyopenssl import verify_hostname ctx = SSL.Context(SSL.SSLv23_METHOD) ctx.set_verify(SSL.VERIFY_PEER, lambda conn, cert, errno, depth, ok: ok) ctx.set_default_verify_paths() hostname = u"twistedmatrix.com" conn = SSL.Connection(ctx, socket.socket(socket.AF_INET, socket.SOCK_STREAM)) conn.connect((hostname, 443)) try: conn.do_handshake() verify_hostname(conn, hostname) # Do your super-secure stuff here. except SSL.Error as e: print("TLS Handshake failed: {0!r}.".format(e.args[0])) except VerificationError: print("Presented certificate is not valid for {0}.".format(hostname)) finally: conn.shutdown() conn.close()
PyCA cryptography¶
-
service_identity.cryptography.
verify_certificate_hostname
(certificate, hostname)¶ Verify whether certificate is valid for hostname.
Note
Nothing is verified about the authority of the certificate; the caller must verify that the certificate chains to an appropriate trust root themselves.
Parameters: - certificate (cryptography.x509.Certificate) – A cryptography X509 certificate object.
- hostname (unicode) – The hostname that certificate should be valid for.
Raises: - service_identity.VerificationError – If certificate is not valid for hostname.
- service_identity.CertificateError – If certificate contains invalid/unexpected data.
Returns: None
Universal Errors and Warnings¶
-
exception
service_identity.
VerificationError
(errors)¶ Service identity verification failed.
-
exception
service_identity.
CertificateError
¶ Certificate contains invalid or unexpected data.
-
exception
service_identity.
SubjectAltNameWarning
¶ Server Certificate does not contain a
SubjectAltName
.Hostname matching is performed on the
CommonName
which is deprecated.