[twill] SSL client certificates (was Re: Twill question)

John J Lee jjl at pobox.com
Sat May 27 15:25:55 PDT 2006

I always forget something.

First, to copy wwwsearch-general list.

Second, wanted to mention here explicitly -- partly for my own record -- 
that it seems browsers can sometimes automatically pick the right 
certificate by looking in the "Issuer" field in the certificate (which 
often contains a URL or host name, I gather).  mechanize doesn't support 
that: you must tell it which certificate is to be used for which URL.  So 
that's another nice-to-have that would require work to _ssl.c, or similar. 
Yet another is being able to use .p12 certs without conversion, of course 
(p12 is the standard format used by browsers).


On Sat, 27 May 2006, John J Lee wrote:

> OK, mechanize SVN now supports SSL client certificates.  Here's a
> docstring:
> def add_client_certificate(self, url, key_file, cert_file):
>     """Add an SSL client certificate, for HTTPS client auth.
>     key_file and cert_file must be filenames of the key and certificate
>     files, in PEM format.  You can use e.g. OpenSSL to convert a p12 (PKCS
>     12) file to PEM format:
>     openssl pkcs12 -clcerts -nokeys -in cert.p12 -out cert.pem
>     openssl pkcs12 -nocerts -in cert.p12 -out key.pem
>     Note that client certificate password input is very inflexible ATM.  At
>     the moment this seems to be console only, which is presumably the
>     default behaviour of libopenssl.  In future mechanize may support
>     third-party libraries that (I assume) allow more options here.
>     """
> This works against a local Apache server on my machine (named 'alice' in
> traditional cryptographic fashion), but libopenssl does ask you to type in
> the PEM pass phrase, on the console (at least on this linux box).  In fact
> it asks for it twice, due to the redirect from path '/certneeded' to
> '/certneeded/'!  As the docstring says, maybe something like M2Crypto has
> support for GUI pass phrase input and pass phrase caching.  If not, I
> guess Python's Modules/_ssl.c would have to be replaced / rewritten to ask
> libopenssl to delegate the password input appropriately.
> import mechanize
> br = mechanize.Browser()
> host = "alice:443"
> br.add_client_certificate(
>     host,
>     '/home/john/comp/dev/apache/ssl/client.key',
>     '/home/john/comp/dev/apache/ssl/client.crt',
>     )
> r = br.open('https://alice:443/certneeded')
> print r.get_data()
> John
> _______________________________________________
> twill mailing list
> twill at lists.idyll.org
> http://lists.idyll.org/listinfo/twill

More information about the twill mailing list