If you’re expecting curl –cert somefile.pem to work, and you keep getting 403s in response, it might be because your curl is compiled against NSS, and that cert is being interpreted as an alias to an NSS DB entry. Use curl –cert ./somefile.pem instead. Fwiw, this is documented in the curl man page, but who looks there? …Or use wget instead. »
If you need an implementation of an HTTP CONNECT client to tunnel SSL (or anything else) through a proxy using Netty, Chris Duryee and I recently landed a patch to do so in Thumbslug. By all means, make use of it! The original changeset is here. »
For Thumbslug, we needed to open a number of SSL connections to the same server, each with its own X.509 client certificate. Thumbslug grabs the certificates from Candlepin, which stores them in PEM format. Rather than teach Candlepin to also store these certificates in a different format, or to load them first into a format that Java deals with nativley (like PKCS #12), I figured it would be best to create an SSLSession backed directly by an X509Certificate and PrivateKey loaded from the PEM file. »
This checkin to python brings a long-awaited (and sorely needed, IMO) enhancement to python: SSL certificate verification support. Once the API support percolates up from socket through the various network libraries in python proper, for the vast majority of developers there will no longer be a need for PyOpenSSL, M2Crypto, or rhnlib. »