Python Wws Library Requires Entire Certificate Chain To Verify Server

May 09, 2024 Post a Comment

I am using ssl.py to connect to a webserver and I would like to verify the server certificate. I have a ROOT_CA which signs an INTERMEDIATE_CA and this finally signs the SERVER_CER

Solution 1:

By default OpenSSL needs the full certificate chain including the root certificate. With OpenSSL 1.0.2 a new verification flag X509_V_FLAG_PARTIAL_CHAIN was added which makes it possible to let the trust chain end in a trusted certificate even if this certificate is not a root certificate (i.e. subject and issuer differ).

It looks like Python does not have yet a constant defined for this so one needs to use the integer representation:

ctx = ssl.create_default_context()
ctx.load_verify_locations(cafile='subca.pem')  # containsonly sub-CA
ctx.verify_flags |=0x80000           # set X509_V_FLAG_PARTIAL_CHAIN
ctx.ssl_wrap(...)

Baca Juga

Python Social Auth Redirecting To The Same Url
Cant Login Into Nike With Python Selenium
Django User Does Not Inherit Permission From Group

Learn Python Tutorials

Python Wws Library Requires Entire Certificate Chain To Verify Server

Solution 1:

Post a Comment for "Python Wws Library Requires Entire Certificate Chain To Verify Server"