Release v14.0.0 (What’s new?).
TL;DR: Use this package if you use pyOpenSSL and don’t want to be MITMed.
service_identity aspires to give you all the tools you need for verifying whether a certificate is valid for the intended purposes.
In the simplest case, this means host name verification. However, service_identity implements RFC 6125 fully and plans to add other relevant RFCs too.
service_identity’s documentation lives at Read the Docs, the code on GitHub.
$ pip install service_identity
Python 2.6, 2.7, 3.3 and later, as well as PyPy are supported.
Additionally, the following PyPI modules are required:
Optionally, idna >= 0.6 can be used for internationalized domain names (IDN), i.e. non-ASCII domains. Unfortunately it’s required because Python’s IDN support in the standard library is outdated even in the latest releases.
If you need Python 3.2 support, you will have to use the latest 0.2.x release. It will receive bug fix releases if necessary but other than that no further development is planned.
Note
The APIs for RFC 6125 verification beyond DNS-IDs (i.e. hostnames) aren’t public yet. They are in place and used by the documented high-level APIs though. Eventually they will become public. If you’d like to play with them and provide feedback have a look at the verify_service_identity function in the _common module.
Verify whether the certificate of connection is valid for hostname.
| Parameters: |
|
|---|---|
| Raises: |
|
| Returns: | None |
In practice, this may look like the following:
from __future__ import absolute_import, division, print_function
import socket
from OpenSSL import SSL
from service_identity import VerificationError
from service_identity.pyopenssl import verify_hostname
ctx = SSL.Context(SSL.SSLv23_METHOD)
ctx.set_verify(SSL.VERIFY_PEER, lambda conn, cert, errno, depth, ok: ok)
ctx.set_default_verify_paths()
hostname = u"twistedmatrix.com"
conn = SSL.Connection(ctx, socket.socket(socket.AF_INET, socket.SOCK_STREAM))
conn.connect((hostname, 443))
try:
conn.do_handshake()
verify_hostname(conn, hostname)
# Do your super-secure stuff here.
except SSL.Error as e:
print("TLS Handshake failed: {0!r}.".format(e.args[0]))
except VerificationError:
print("Presented certificate is not valid for {0}.".format(hostname))
finally:
conn.shutdown()
conn.close()
Verification failed.
A certificate contains invalid or unexpected data.
service_identity is licensed under the permissive MIT license. The full license text can be also found in the source code repository.
service_identity is currently maintained by Hynek Schlawack.
The development is kindly supported by Variomedia AG.
If you think you’ve found a security-relevant bug, please contact me privately and ideally encrypt your message using PGP. I will then work with you on a responsible resolution. You can find my contact information and PGP data on my homepage.
The following wonderful people contributed directly or indirectly to this project:
Please add yourself here alphabetically when you submit your first pull request.
Every open source project lives from the generous help by contributors that sacrifice their time and service_identity is no different.
To make participation as pleasant as possible, this project adheres to the Code of Conduct by the Python Software Foundation.
Here are a few hints and rules to get you started:
Note
If you have something great but aren’t sure whether it adheres – or even can adhere – to the rules above: please submit a pull request anyway!
In the best case, we can mold it into something, in the worst case the pull request gets politely closed. There’s absolutely nothing to fear.
Thank you for considering to contribute to service_identity! If you have any question or concerns, feel free to reach out to me. I can usually be found on the #cryptography-dev channel on freenode.
Versions are year-based with a strict backwards-compatibility policy. The third digit is only for regressions.
none
none
none
none