This is excellent analysis, and I am glad to hear that migrating away
from M2Crypto in S12 seems doable. Note that I am keeping track of
Python 3 migration plans here:
I put much of your excellent analysis there, but I would appreciate it
if we could more use the Wiki for sharing of information going forward.
I wonder if it makes sense to file bugs upstream with PyOpenSSL about
the crl.get_next_update(), crl.verify(), and cert.check_ca() issues.
We may find that upstream will help write some of these patches if we
explain the issues to them.
On 04/25/13 04:35 PM, Erik Trauschke wrote:
This is more about putting down some notes about this for future
I've looked a bit into what would actually be necessary to replace
M2Crypto with pyopenssl in the IPS source code.
Turns out that we are not so far away from being able to make this
At the moment the following things in pyopenssl are still lacking:
So far pyopenssl doesn't support expiry of CRLs or retrieval of CRL
expiry dates. Couldn't find a patch for this, either.
There is a patch waiting to get merged into the main code base:
Verify that CRL was signed by trusted CA.
So far there is no patch I could find but we might be able to treat this
as a regular cert for verification (see below)
Verify that cert was signed by trusted CA.
There is a bug and patch available for this one:
Check if the current certificate is a proper CA based on
basicConstraints and keyUsage.
This one can be implemented as a small Python function because the
information required for making this determination is available in
pyopenssl. However, it's also pretty simple to add the proper OpenSSL
API call to pyopenssl.
If we target this change to go into S12 I don't see any reason why we
wouldn't be able to do it. Looking at the patches for some of the issues
above it looks fairly simple to add additional interfaces to OpenSSL
into pyopenssl, even if we'd have to do our own patches.
[pkg-discuss] Re: removal of M2Crypto
Message not available