[twill] Twill question

John J Lee jjl at pobox.com
Sat May 27 15:13:34 PDT 2006


OK, mechanize SVN now supports SSL client certificates.  Here's a 
docstring:

def add_client_certificate(self, url, key_file, cert_file):
     """Add an SSL client certificate, for HTTPS client auth.

     key_file and cert_file must be filenames of the key and certificate
     files, in PEM format.  You can use e.g. OpenSSL to convert a p12 (PKCS
     12) file to PEM format:

     openssl pkcs12 -clcerts -nokeys -in cert.p12 -out cert.pem
     openssl pkcs12 -nocerts -in cert.p12 -out key.pem


     Note that client certificate password input is very inflexible ATM.  At
     the moment this seems to be console only, which is presumably the
     default behaviour of libopenssl.  In future mechanize may support
     third-party libraries that (I assume) allow more options here.

     """

This works against a local Apache server on my machine (named 'alice' in 
traditional cryptographic fashion), but libopenssl does ask you to type in 
the PEM pass phrase, on the console (at least on this linux box).  In fact 
it asks for it twice, due to the redirect from path '/certneeded' to 
'/certneeded/'!  As the docstring says, maybe something like M2Crypto has 
support for GUI pass phrase input and pass phrase caching.  If not, I 
guess Python's Modules/_ssl.c would have to be replaced / rewritten to ask 
libopenssl to delegate the password input appropriately.

import mechanize
br = mechanize.Browser()
host = "alice:443"
br.add_client_certificate(
     host,
     '/home/john/comp/dev/apache/ssl/client.key',
     '/home/john/comp/dev/apache/ssl/client.crt',
     )
r = br.open('https://alice:443/certneeded')
print r.get_data()


John




More information about the twill mailing list