On 2015-06-22 17:45, meejah wrote:
David Fifield david@bamsoftware.com writes:
I'm less sure about how to get the certificate chain. I did some searching and didn't find a way to get the certificate chain from the twisted.web.client.Agent that templates/httpt.py uses (maybe you provide it a twisted.internet.ssl.ContextFactory somehow?).
The openssl python bindings are garbage and broken. Here is how I did it:
https://github.com/TheTorProject/ooni-probe/blob/feature/tor_tests/ooni/nett...
There's probably a better way, but there is some code in "carml" which does verification of certificate-chains and might give you some hints:
https://github.com/meejah/carml/blob/master/carml/command/downloadbundle.py#...
(As the FIXME above this says, I believe Twisted >= 14 can do that too out of the box). With the above, extracting the chain would involve registering an OpenSSL callback and recording the cert for each depth -- perhaps there is an easier way in newer Twisted releases.
HTH,
Would really hope so, but think it's an OpenSSL thing. Also note that settings the cipher suites doesn't seem to really do anything either... :( :( :(