i am trying to implement certificate revocation checks either through CRL or OCSP in my python 3.6 code (using the requests library) which is:
import ssl
import requests
from requests.adapters import HTTPAdapter
from requests.packages.urllib3.poolmanager import PoolManager
from requests.packages.urllib3.util import ssl_
CIPHERS = (
'RSA+AES'
)
class TlsAdapter(HTTPAdapter):
def __init__(self, ssl_options=0, **kwargs):
self.ssl_options = ssl_options
super(TlsAdapter, self).__init__(**kwargs)
def init_poolmanager(self, *pool_args, **pool_kwargs):
ctx = ssl_.create_urllib3_context(ciphers=CIPHERS, cert_reqs=ssl.CERT_REQUIRED, options=self.ssl_options)
# ctx.verify_flags = ssl.VERIFY_CRL_CHECK_CHAIN
self.poolmanager = PoolManager(*pool_args,
ssl_context=ctx,
**pool_kwargs)
session = requests.session()
adapter = TlsAdapter(ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1)
session.mount("https://", adapter)
r = session.request('GET', 'https://awesome.com', verify='/etc/ssl/certs/ca-certificates.crt')
print(r)
As per the research that i did on CRL and OCSP (see here and here), there is no built in mechanism in Python for implementing certificate revocation checks with CRL. The ssl.VERIFY_CRL_CHECK_CHAIN can be leveraged but that also expects us to provide the crl file manually on the client end which is not very efficient. For reference, the WinHTTP library on windows automatically extracts all the crl paths in the certificates and checks them automatically whether the certificate has been revoked or not.
However, i could not find much information whether there is support for OSCP checks in Python 3.6 and whether it can be implemented easily either through a built in method or through a third party package maybe? Ideally, does any solution exist in Python which can automatically extract the crl server/ ocsp responder from the server certificate and then contact the respective service to verify whether the certificate has been revoked or not?
Thanks guys!
You are correct that Python's built-in ssl module does not have a built-in mechanism for certificate revocation checking using CRLs. The ssl.VERIFY_CRL_CHECK_CHAIN flag can be used to enable CRL checking, but it does require the CRL file to be provided manually, which can be cumbersome and not very efficient.
As for OCSP, Python 3.6 does not have built-in support for OCSP checking either. However, there are third-party libraries that can be used to perform OCSP checks. One such library is pyOpenSSL, which is built on top of the OpenSSL library and provides a higher-level Pythonic API for working with SSL/TLS.
You can use the pyOpenSSL library to perform OCSP checking by first creating an OCSP request and then sending it to the OCSP responder. Here is an example:
from OpenSSL import crypto from OpenSSL import SSL ocsp_request = crypto.OCSPRequest() ocsp_request.add_certificate(cert, issuer_cert) ocsp_request_data = ocsp_request.as_der() ocsp_response_data = SSL.context.get_ocsp_response(ocsp_request_data) ocsp_response = crypto.OCSPResponse.load(ocsp_response_data) print(ocsp_response.status)This example assumes that you have the certificate and issuer certificate in the cert and issuer_cert variables, respectively.
Another library that you can use is ocspbuilder which is built on top of pyOpenSSL and provides a more user-friendly interface for creating and sending OCSP requests, and also parsing and validating OCSP responses.
It's worth noting that while certificate revocation checking is important for security, it can also add significant overhead to the certificate validation process.