[ooni-dev] Testing HTTPS URLs and certificate chain
Aaron Gibson
aagbsn at extc.org
Sun Jun 28 14:38:15 UTC 2015
On 2015-06-22 17:45, meejah wrote:
> David Fifield <david at bamsoftware.com> writes:
>
>> I'm less sure about how to get the certificate chain. I did some
>> searching and didn't find a way to get the certificate chain from the
>> twisted.web.client.Agent that templates/httpt.py uses (maybe you
>> provide
>> it a twisted.internet.ssl.ContextFactory somehow?).
>
The openssl python bindings are garbage and broken. Here is how I did
it:
https://github.com/TheTorProject/ooni-probe/blob/feature/tor_tests/ooni/nettests/experimental/tor_tls_handshake.py
> There's probably a better way, but there is some code in "carml" which
> does verification of certificate-chains and might give you some hints:
>
>
> https://github.com/meejah/carml/blob/master/carml/command/downloadbundle.py#L59
>
> (As the FIXME above this says, I believe Twisted >= 14 can do that too
> out of the box). With the above, extracting the chain would involve
> registering an OpenSSL callback and recording the cert for each depth
> --
> perhaps there is an easier way in newer Twisted releases.
>
> HTH,
Would really hope so, but think it's an OpenSSL thing. Also note that
settings the cipher suites doesn't seem to really do anything either...
:( :( :(
More information about the ooni-dev
mailing list