[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SSL/TLS support in Pyro4

On 2017-08-04 17:11, Robin Becker wrote:
> On 04/08/2017 15:12, Irmen de Jong wrote:
>> On 04/08/2017 15:44, Robin Becker wrote:
> ..........
>> You can specify a CAcert using load_verify_locations on the ssl
>> context. Is that what
>> you meant? I figured out that if you set that to the peer's
>> certificate it will then be
> yes I think so. Certainly the self signed certs I tried with python3
> urllib seemed to require valid hostnames. If I just use this as server
> from http.server import HTTPServer, BaseHTTPRequestHandler,
> SimpleHTTPRequestHandler
> import ssl
> httpd = HTTPServer(('localhost', 4443), SimpleHTTPRequestHandler)
> httpd.socket = ssl.wrap_socket (httpd.socket,
>         keyfile="/home/rptlab/tmp/key.pem",
>         certfile='/home/rptlab/tmp/cert.pem', server_side=True)
> httpd.serve_forever()
> and this as requester
> from urllib import request
> req = request.urlopen('https://localhost:4443',
>                        cafile='/home/rptlab/tmp/cert.pem')
> print(req.read())
> then provided the self signed cert has the name localhost requests can
> be made OK.
> I'm guessing this would also work OK if the cert had multiple names
> embedded in it which would allow a small cluster to be used.
> I don't know which part of the socket does the host name checking, but
> perhaps that can be turned off somewhere.

This approach works but requires a carefully crafted certificate. The
certificate must be a valid CA and EE certificate at the same time.
Either you must not include any X509v3 extensions or correctly pick the
right combination of BasicConstraint, Key Usage and Extended Key Usage.

For my tests I use my own project CA. For example
https://github.com/latchset/custodia/tree/master/tests/ca/ contains a
script to generate a CA and two EE certs. The server cert is valid for
localhost and You can easily extend the configuration to
include one or multiple intermediate CAs.