osdir.com


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SSL/TLS support in Pyro4


On 04/08/2017 15:12, Irmen de Jong wrote:
> On 04/08/2017 15:44, Robin Becker wrote:
..........
> You can specify a CAcert using load_verify_locations on the ssl context. Is that what
> you meant? I figured out that if you set that to the peer's certificate it will then be

yes I think so. Certainly the self signed certs I tried with python3 urllib 
seemed to require valid hostnames. If I just use this as server


from http.server import HTTPServer, BaseHTTPRequestHandler, SimpleHTTPRequestHandler
import ssl


httpd = HTTPServer(('localhost', 4443), SimpleHTTPRequestHandler)

httpd.socket = ssl.wrap_socket (httpd.socket,
         keyfile="/home/rptlab/tmp/key.pem",
         certfile='/home/rptlab/tmp/cert.pem', server_side=True)

httpd.serve_forever()

and this as requester

from urllib import request
req = request.urlopen('https://localhost:4443',
                        cafile='/home/rptlab/tmp/cert.pem')
print(req.read())


then provided the self signed cert has the name localhost requests can be made OK.

I'm guessing this would also work OK if the cert had multiple names embedded in 
it which would allow a small cluster to be used.

I don't know which part of the socket does the host name checking, but perhaps 
that can be turned off somewhere.


> accepted.  I understand it as much as "hey openssl here is a root cert that you should
> trust if you encounter it".
> Without doing this, the cert is denied on the SSL level (unless you set the ssl options
> to no-cert-required but that is definitely not what I wanted)
> 
> Bottom line is I learned something new :)
> 
> And also that Python's standard ssl library isn't as bad as I remember it to be a few
> years ago.  Is there still a reason to use, say, PyOpenSSL anymore?
> 
it's getting better any how.

> 
> Irmen
> 

-- 
Robin Becker