SSL Context for older python version

Asked 16/3, 2016 at 4:33 Answered 29/3, 2016 at 6:12

I have a code as below :

headers = {'content-type': 'ContentType.APPLICATION_XML'}
uri = "www.client.url.com/hit-here/"
clientCert = "path/to/cert/abc.crt"
clientKey = "path/to/key/abc.key"
PROTOCOL = ssl.PROTOCOL_TLSv1
context = ssl.SSLContext(PROTOCOL)
context.load_default_certs()
context.load_cert_chain(clientCert, clientKey)
conn = httplib.HTTPSConnection(uri, some_port, context=context)

I am not really a network programmer, so i did some googling for handshake connection and found ssl.SSLContext(PROTOCOL) as the needed function, code works fine.

Then i hit the roadblock, my local has version 2.7.10 but all the production boxes have 2.7.3 with them, so SSLContext is not supported and upgrading python version is not an option / in control.

I tried reading ssl — SSL wrapper for socket objects but couldn't make sense out of it.

what i tried (in vain) :

s_ = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s = ssl.wrap_socket(s_, keyfile=clientKey, certfile=clientCert, cert_reqs=ssl.CERT_REQUIRED)
new_conn = s.connect((uri, some_port))

but returns :

SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)')

Question - how to generate SSL Context on older version so as to have a secure https connection?

Semiskilled answered 16/3, 2016 at 4:33 Comment(1)

I don't think that old version can work with a context. Have you tried creating the the https connection specifying the certificates, i.e. conn = httplib.HTTPSConnection(host, port, key_file, cert_file, strict, timeout) – Morn 23/3, 2016 at 4:58

You have to specify the ca_certs file (which should point to trust store)

Chessa answered 24/3, 2016 at 4:4 Comment(2)

can you elaborate bit more? – Semiskilled 24/3, 2016 at 17:59

In order to trust the server certificate you need to have the ca_certificate of server. So your wrap_socket should be like ssl.wrap_socket(s_, keyfile=clientKey, certfile=clientCert, ca_certs=cacertfile cert_reqs=ssl.CERT_REQUIRED) – Chessa 25/3, 2016 at 3:44

I've got the perfect solution using the requests library. The requests library has got to be my favorite library I've ever used, cause it takes something in Python that is inherently difficult to do -- SSL and REST requests -- and makes it unbelievably simple. I checked out their version support and Python 2.6+ is supported.

Here is an example of how to use their library.

>>> requests.get(uri)

And that is all you have to do. The requests library takes care of establishing a ssl connection.

Taking this one step farther. If you need to persist cookies between requests, you can do so like this.

>>> sess = requests.Session()
>>> credentials = {"username": "user", 
                   "password": "pass"}
>>> sess.post("https://some-website/login", params=credentials)
<Response [200]>
>>> sess.get("https://some-website/a-backend-page").text
<html> the backend page... </html>

Edit: If you need to, you can also pass in the path to the certificate and the key like so requests.get(uri, cert=('path/to/cert/abc.crt', 'path/to/key/abc.key'))

Now hopefully you can convince them to install the requests library on the production boxes, cause it would be well worth it. Let me know if this works out for you.

Lurlenelurline answered 29/3, 2016 at 6:12 Comment(2)

request.get doesn't support encrypted keys and request.post docs doesn't have any cert / key documentation...any thoughts mate? – Semiskilled 30/3, 2016 at 4:45

Dang it. Well I can't think of any other ways of doing this, but if I do, I'll let you know. – Lurlenelurline 30/3, 2016 at 20:16

Recommended topics

Hot tags