Issue 262 in pyftpdlib: ability to add ssl chain file

[pyft...@googlecode.com]

Status: New
Owner: ----
Labels: Type-Enhancement Priority-Medium Component-Library

New issue 262 by brianto...@gmail.com: ability to add ssl chain file
http://code.google.com/p/pyftpdlib/issues/detail?id=262

I received a chainfile / intermediate certificate when I purchased an SSL
certificate. Currently pyftpdlib 1.2.0 has no ability to load this in.
The only calls made to load in PEM files are
ssl_context.use_certificate_file and ssl_context.use_privatekey_file.


I've successfully tested and verified that I was able to load in my
intermediate certificate using ssl_context.load_verify_locations(filename)
and it shows up under filezilla. I think it would be great to see this
feature incorporated into a future version of pyftpdlib.


--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings

[pyft...@googlecode.com]

Comment #1 on issue 262 by g.rodola: ability to add ssl chain file
http://code.google.com/p/pyftpdlib/issues/detail?id=262

Can you provide a patch?

[pyft...@googlecode.com]

Comment #2 on issue 262 by dop...@gmail.com: ability to add ssl chain file
http://code.google.com/p/pyftpdlib/issues/detail?id=262

Hi,

I can. It's a one-liner. Using the use_certificate_chain_file() instead of
use_certificate_file() allows placing intermediate certificates into the
same PEM encoded file after the subject certificate and is actually
preferred according to
https://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html

--- handlers.py.orig 2014-02-14 03:27:46.000000000 +0400
+++ handlers.py 2014-02-14 03:39:52.000000000 +0400
@@ -3239,7 +3239,7 @@
cls.ssl_context.set_options(SSL.OP_NO_SSLv2)
else:
warnings.warn("SSLv2 protocol is insecure",
RuntimeWarning)
- cls.ssl_context.use_certificate_file(cls.certfile)
+ cls.ssl_context.use_certificate_chain_file(cls.certfile)
if not cls.keyfile:
cls.keyfile = cls.certfile
cls.ssl_context.use_privatekey_file(cls.keyfile)

[pyft...@googlecode.com]

Comment #3 on issue 262 by g.rodola: ability to add ssl chain file
http://code.google.com/p/pyftpdlib/issues/detail?id=262

I'm not a SSL expert so I need to ask: is that backward compatible with
current functionality? Have you tried running tests after applying the
patch?

[pyft...@googlecode.com]

Comment #4 on issue 262 by dop...@gmail.com: ability to add ssl chain file
http://code.google.com/p/pyftpdlib/issues/detail?id=262

I'm not an expert either, but the API docs is quite clear: as long as the
certificate file is in PEM format it should not create any regression. And
because there is no way of specifying the certificate file format in
pyftpdlib anyway it works out pretty well.

I have run the tests, all passed.

[pyft...@googlecode.com]

Updates:
Status: FixedInSVN
Labels: Milestone-1.3.1

Comment #5 on issue 262 by g.rodola: ability to add ssl chain file
http://code.google.com/p/pyftpdlib/issues/detail?id=262

Fixed in r1252.

[pyft...@googlecode.com]

Comment #6 on issue 262 by dop...@gmail.com: ability to add ssl chain file
http://code.google.com/p/pyftpdlib/issues/detail?id=262

Nice one, many thanks.

BTW, why did the credit go Brian? :)

[pyft...@googlecode.com]

Comment #7 on issue 262 by g.rodola: ability to add ssl chain file
http://code.google.com/p/pyftpdlib/issues/detail?id=262

Whops! You're right, sorry. What's your name? =)

[pyft...@googlecode.com]

Comment #8 on issue 262 by dop251: ability to add ssl chain file
http://code.google.com/p/pyftpdlib/issues/detail?id=262

N: Dmitry Panov
C: UK
E: dop...@gmail.com

[pyft...@googlecode.com]

Comment #9 on issue 262 by g.rodola: ability to add ssl chain file
http://code.google.com/p/pyftpdlib/issues/detail?id=262

Done.