OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 18.1 Legacy Series »
  • Using own CA's w/Python (update_tables.py, etc.)
« previous next »
  • Print
Pages: 1 [2]

Author Topic: Using own CA's w/Python (update_tables.py, etc.)  (Read 9807 times)

NOYB

  • Jr. Member
  • **
  • Posts: 75
  • Karma: 6
    • View Profile
Re: Using own CA's w/Python (update_tables.py, etc.)
« Reply #15 on: December 25, 2017, 01:55:01 pm »
It's an ugly duckling hack, but it's functional with the hash dir.  See attached patch.

If first connection attempt fails it then tries again with verify set to the hash dir.  A tacky hack.

To get hash filename for certs with PHP:
Code: [Select]
$crt_inf = openssl_x509_parse(base64_decode($crt));
$cert_hash_filename = $crt_inf['hash'] . ".0";
« Last Edit: December 25, 2017, 11:08:27 pm by NOYB »
Logged

NOYB

  • Jr. Member
  • **
  • Posts: 75
  • Karma: 6
    • View Profile
Re: Using own CA's w/Python (update_tables.py, etc.)
« Reply #16 on: December 30, 2017, 12:16:08 am »
What can be done to get the requests module to try additional certificate store(s) instead of exclusively the Certifi store?

It seems like the best solution would be for Certifi to try additional certificate store(s) when a match is not found in its own bundle.  But don't see an obvious way to do that to the Certifi code.

There must be a better way than another connection attempt with a different certificate store specified.  Functional but unseemly.  At least the second connection attempt is only done to my "own" servers.
Logged

fabian

  • Hero Member
  • *****
  • Posts: 2398
  • Karma: 168
  • OPNsense Contributor (Language, VPN, Proxy, etc.)
    • View Profile
    • Personal Homepage
Re: Using own CA's w/Python (update_tables.py, etc.)
« Reply #17 on: December 30, 2017, 09:02:45 am »
Quote from: NOYB on December 30, 2017, 12:16:08 am
What can be done to get the requests module to try additional certificate store(s) instead of exclusively the Certifi store?

It seems like the best solution would be for Certifi to try additional certificate store(s) when a match is not found in its own bundle.  But don't see an obvious way to do that to the Certifi code.

Certifi seems to be only some code returning the path to its bundled cacert.pem.

Quote from: NOYB on December 30, 2017, 12:16:08 am
There must be a better way than another connection attempt with a different certificate store specified.  Functional but unseemly.  At least the second connection attempt is only done to my "own" servers.
In theory the certificates could be added from config.xml
Logged

NOYB

  • Jr. Member
  • **
  • Posts: 75
  • Karma: 6
    • View Profile
Re: Using own CA's w/Python (update_tables.py, etc.)
« Reply #18 on: December 30, 2017, 09:41:31 am »
Quote from: fabian on December 30, 2017, 09:02:45 am
In theory the certificates could be added from config.xml

Adding custom system certs to the distributed Certifi bundle has it own baggage issues.  Amongst them not being a system wide solution.  Objective is for system config CA certs to be trusted by not only Python requests, but everything that supports secure connections (notifications, custom DynDNS, URL table updates, etc.).

With exception of URL table updates (Python requests) they all have native support for using a hash dir (capath) fallback when a cert match is not found in the bundle.

Been using this for quite awhile to trust own CA's from the system config.  But Python requests exclusively using Certifi bundle is a barrier.
Logged
  • Print
Pages: 1 [2]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 18.1 Legacy Series »
  • Using own CA's w/Python (update_tables.py, etc.)
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2020 All rights reserved
  • SMF 2.0.17 | SMF © 2019, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2