[twill] SSL client certificates (was Re: Twill question)
John J Lee
jjl at pobox.com
Sat May 27 15:25:55 PDT 2006
I always forget something.
First, to copy wwwsearch-general list.
Second, wanted to mention here explicitly -- partly for my own record --
that it seems browsers can sometimes automatically pick the right
certificate by looking in the "Issuer" field in the certificate (which
often contains a URL or host name, I gather). mechanize doesn't support
that: you must tell it which certificate is to be used for which URL. So
that's another nice-to-have that would require work to _ssl.c, or similar.
Yet another is being able to use .p12 certs without conversion, of course
(p12 is the standard format used by browsers).
On Sat, 27 May 2006, John J Lee wrote:
> OK, mechanize SVN now supports SSL client certificates. Here's a
> def add_client_certificate(self, url, key_file, cert_file):
> """Add an SSL client certificate, for HTTPS client auth.
> key_file and cert_file must be filenames of the key and certificate
> files, in PEM format. You can use e.g. OpenSSL to convert a p12 (PKCS
> 12) file to PEM format:
> openssl pkcs12 -clcerts -nokeys -in cert.p12 -out cert.pem
> openssl pkcs12 -nocerts -in cert.p12 -out key.pem
> Note that client certificate password input is very inflexible ATM. At
> the moment this seems to be console only, which is presumably the
> default behaviour of libopenssl. In future mechanize may support
> third-party libraries that (I assume) allow more options here.
> This works against a local Apache server on my machine (named 'alice' in
> traditional cryptographic fashion), but libopenssl does ask you to type in
> the PEM pass phrase, on the console (at least on this linux box). In fact
> it asks for it twice, due to the redirect from path '/certneeded' to
> '/certneeded/'! As the docstring says, maybe something like M2Crypto has
> support for GUI pass phrase input and pass phrase caching. If not, I
> guess Python's Modules/_ssl.c would have to be replaced / rewritten to ask
> libopenssl to delegate the password input appropriately.
> import mechanize
> br = mechanize.Browser()
> host = "alice:443"
> r = br.open('https://alice:443/certneeded')
> print r.get_data()
> twill mailing list
> twill at lists.idyll.org
More information about the twill