[ooni-dev] Testing HTTPS URLs and certificate chain

Aaron Gibson aagbsn at extc.org
Sun Jun 28 14:38:15 UTC 2015

On 2015-06-22 17:45, meejah wrote:
> David Fifield <david at bamsoftware.com> writes:
>> I'm less sure about how to get the certificate chain. I did some
>> searching and didn't find a way to get the certificate chain from the
>> twisted.web.client.Agent that templates/httpt.py uses (maybe you 
>> provide
>> it a twisted.internet.ssl.ContextFactory somehow?).

The openssl python bindings are garbage and broken. Here is how I did 


> There's probably a better way, but there is some code in "carml" which
> does verification of certificate-chains and might give you some hints:
> https://github.com/meejah/carml/blob/master/carml/command/downloadbundle.py#L59
> (As the FIXME above this says, I believe Twisted >= 14 can do that too
> out of the box). With the above, extracting the chain would involve
> registering an OpenSSL callback and recording the cert for each depth 
> --
> perhaps there is an easier way in newer Twisted releases.
> HTH,

Would really hope so, but think it's an OpenSSL thing. Also note that 
settings the cipher suites doesn't seem to really do anything either... 
:( :( :(

More information about the ooni-dev mailing list