skip to navigation
skip to content

service_identity 0.2

Service identity verification for pyOpenSSL.

Latest Version: 17.0.0


This software is currently alpha and under review. Use it at your own peril.

Any part is subject to change, but feedback is very welcome!


service_identity aspires to give you all the tools you need for verifying whether a certificate is valid for the intended purposes.

In the simplest case, this means host name verification. However, service_identity implements RFC 6125 fully and plans to add other relevant RFCs too.



  • dNSName with fallback to CN (DNS-ID, aka host names, RFC 6125).
  • uniformResourceIdentifier (URI-ID, RFC 6125).
  • SRV-ID (RFC 6125)



Verify a Hostname

The simplest, most common, and most important usage:

from __future__ import absolute_import, division, print_function

import socket

from OpenSSL import SSL
from service_identity import VerificationError
from service_identity.pyopenssl import verify_hostname

ctx = SSL.Context(SSL.SSLv23_METHOD)
ctx.set_verify(SSL.VERIFY_PEER, lambda conn, cert, errno, depth, ok: ok)

hostname = u""
conn = SSL.Connection(ctx, socket.socket(socket.AF_INET, socket.SOCK_STREAM))
conn.connect((hostname, 443))

    verify_hostname(conn, hostname)
    # Do your super-secure stuff here.
except SSL.Error as e:
    print("TLS Handshake failed: {0!r}.".format(e.args[0]))
except VerificationError:
    print("Presented certificate is not valid for {0}.".format(hostname))


Python 2.6, 2.7, 3.2, 3.3, and 3.4 as well as PyPy are supported.

Additionally, the following PyPI modules are required:

Optionally, idna can be used for internationalized domain names (IDN), aka non-ASCII domains. Please note, that idna is not available for Python 3.2 and is required because Python’s stdlib support is outdated.


0.2.0 (2014-04-06)

This release contains multiple backward-incompatible changes.

  • Refactor into a multi-module package. Most notably, verify_hostname and extract_ids live in the service_identity.pyopenssl module now.
  • verify_hostname now takes an OpenSSL.SSL.Connection for the first argument.
  • Less false positives in IP address detection.
  • Officially support Python 3.4 too.
  • More strict checks for URI_IDs.

0.1.0 (2014-03-03)

  • Initial release.


service_identity is currently maintained by Hynek Schlawack.

If you think you’ve found a security-relevant bug, please contact me privately and ideally encrypt your message using PGP. I will then work with you on a responsible resolution. You can find my contact information and PGP data on my homepage.


The following wonderful people contributed directly or indirectly to this project:

Please add yourself here alphabetically when you submit your first pull request.

File Type Py Version Uploaded on Size
service_identity-0.2-py2.py3-none-any.whl (md5) Python Wheel 2.7 2014-04-06 12KB
service_identity-0.2.tar.gz (md5) Source 2014-04-07 20KB