[Code] SSL Client Authentication with Python OpenID

Kershaw, PJ (Philip) philip.kershaw at stfc.ac.uk
Tue Jun 9 11:16:38 UTC 2009 

Hi Kevin,

Thanks for the help.

I've experimented with pyCurl and M2Crypto.  M2Crypto looks the most flexible as I found that I could set a verify callback to do custom checks on the peer certificate.  The other consideration is that with M2Crypto I can set a custom urllib2 opener.  This means I can slot in the M2Crypto code with the existing openid.fetchers.Urllib2Fetcher without the need to write my own fetcher e.g.

from M2Crypto import SSL
from M2Crypto.m2urllib2 import build_opener

caCertDirPath = '/.../myCACertDir'

ctx = SSL.Context() 
ctx.set_verify(SSL.verify_peer|SSL.verify_fail_if_no_peer_cert, 9)
ctx.load_verify_locations(capath=caCertDirPath)

urllib2.install_opener(build_opener(ssl_context=ctx))

fetcher = Urllib2Fetcher()
resp = fetcher.fetch('https://localhost/openid')

I also found that I needed to set the default Urllib2Fetcher explicity otherwise the pyCurl fetcher will take precedence if pyCurl is installed.  I added this to my initialisation code to fix it:

from openid.fetchers import setDefaultFetcher, Urllib2Fetcher
setDefaultFetcher(Urllib2Fetcher())

I'd be happy to contribute back to the library but it doesn't look like it needs any changes to the OpenID code base.

Cheers,
Phil

> -----Original Message-----
> From: code-bounces at openid.net
> [mailto:code-bounces at openid.net] On Behalf Of Kevin Turner
> Sent: 03 June 2009 17:19
> To: code at openid.net
> Subject: Re: [Code] SSL Client Authentication with Python OpenID
> 
> 
> Yes, the Fetcher interface is designed to be pluggable, so if
> you write your own implementation and install it with 
> openid.fetchers.setDefaultFetcher, you should be able to do 
> what you want.
> 
> Others might be interested in that feature too, so please
> consider contributing your implementation back to the library.
> 
> Cheers,
> 
>  - Kevin
> 
> _______________________________________________
> Code mailing list
> Code at openid.net
> http://openid.net/mailman/listinfo/code
> 
-- 
Scanned by iCritical.

More information about the Code mailing list