[ooni-dev] Testing HTTPS URLs and certificate chain

meejah meejah at meejah.ca
Mon Jun 22 17:45:16 UTC 2015


David Fifield <david at bamsoftware.com> writes:

> I'm less sure about how to get the certificate chain. I did some
> searching and didn't find a way to get the certificate chain from the
> twisted.web.client.Agent that templates/httpt.py uses (maybe you provide
> it a twisted.internet.ssl.ContextFactory somehow?).

There's probably a better way, but there is some code in "carml" which
does verification of certificate-chains and might give you some hints:

   https://github.com/meejah/carml/blob/master/carml/command/downloadbundle.py#L59

(As the FIXME above this says, I believe Twisted >= 14 can do that too
out of the box). With the above, extracting the chain would involve
registering an OpenSSL callback and recording the cert for each depth --
perhaps there is an easier way in newer Twisted releases.

HTH,

-- 
meejah


More information about the ooni-dev mailing list