+ +

HOWTO: Programming HTTPS in Python with M2CryptoHOWTO: Programming SSL in Python with M2Crypto

Pheng Siong Ng

ngps@netmemetic.com

+Ng Pheng Siong (ngps@netmemetic.com) and Heikki Toivonen (heikki@osafoundation.org) +

Revision History
Revision $Revision: 1.1 $	$Date: 2003/06/22 16:41:18 $

+ +

M2Crypto @@ -107,93 +68,12 @@ TARGET="_top" >This document demonstrates programming HTTPS with M2Crypto.

Programming HTTPS

HTTPS - HTTP over SSL/TLS

Python has had good HTTP support for several years now. M2Crypto's - HTTPS functionality mostly adopts the interfaces in Python's HTTP modules. -

- -

In this HOWTO, we shall begin with writing HTTPS clients. Now, to - test the HTTPS clients we write, we need a HTTPS server; conversely, to - test our HTTPS servers, we need a HTTPS client. ;-)

+ -

All the programs we write in this HOWTO are found in - <m2crypto>/demo/https.howto/. Additionally, a number of programs from - <m2crypto>/demo/ssl are also copied into this directory; their names are - prefixed by "orig". These "orig" programs shall be our known-working HTTPS - clients and servers.

ssldump

ssldump "is an SSLv3/TLS network protocol analyser. It identifies - TCP connections on the chosen network interface and attempts to interpret - them as SSLv3/TLS traffic. When it identifies SSLv3/TLS traffic, it - decodes the records and displays them in a textual form to stdout. If - provided with the appropriate keying material, it will also decrypt the - connections and display the application data traffic. -

- -

- If linked with OpenSSL, ssldump can display certificates in decoded form - and decrypt traffic (provided that it has the appropriate keying - material)." -

- -

ssldump is written by Eric Rescorla. -

- -

orig-https-srv.py

orig_https_srv.py is an enhanced version of SimpleHTTPServer that - features the following: -

Works over HTTPS. -
Uses one thread per connection. -
Generates directory listings. -
Displays SSL handshaking and SSL session info. -
Performs SSL renegotiation when a magic URL is requested. -

- -

Invoke orig_https_srv.py thusly:

-$ python orig_https_srv.py
-

- -

By default, orig_https_srv.py serves HTTPS on port 9443.

- -

- - -

M2Crypto.BIO.IOBuffer object that works over the underlying M2Crypto.SSL.Connection directly.
+
Since then M2Crypto has gained a Twisted wrapper that allows securing + Twisted SSL connections with M2Crypto.

A simple HTTPS-POST client

- - -

A multi-threaded HTTPS client

Secure SSL

+ +

It is recommended that you read the book Network Security with OpenSSL by John Viega, Matt Messier and Pravir Chandra, +ISBN 059600270X.

An asynchronous session-reusing client

Using M2Crypto does not automatically make an SSL connection secure. There are various steps that need to be made +before we can make that claim. Let's see how a simple client can establish a secure connection:

Verifying server certificate

- -

Using client certificate

- -

SimpleHTTPSServer

- -

A Medusa-based HTTPS server

+ctx = SSL.Context()
+ctx.set_verify(SSL.verify_peer | SSL.verify_fail_if_no_peer_cert, depth=9)
+if ctx.load_verify_locations('ca.pem') != 1: raise Exception('No CA certs')
+s = SSL.Connection(ctx)
+s.connect(server_address)
+# Normal protocol (for example HTTP) commands follow
+

The first line creates an SSL context. The defaults allow any SSL version (except SSL version 2 which has known +weaknesses) and sets the allowed ciphers to secure ones.

+ +

The second line tells M2Crypto to perform certificate validation. The flags shown above are typical for clients, +and requires the server to send a certificate. The depth parameter tells how long certificate chains are allowed - +9 is pretty common default, although probably too long in practice.

+ +

The third line loads the allowed root (certificate authority) certificates.

+ +

The fourth line creates an SSL connection object with the secure context.

+ +

The fifth line connects to the server. During this time we perform the last security step: just after connection, but before +exchanging any data, we compare the commonName (or subjectAltName DNS field) field in the certificate the server returned to the +server address we tried to connect to. This happens automatically with SSL.Connection and the Twisted wrapper class, and anything +that uses those. In all other cases you must do the check manually. It is recommended you call the SSL.Checker to do the actual check.

+ +

SSL servers are different in that they typically do not require the client to send a certificate, so there is usually no certificate +checking. Also, it is typically useless to perform host name checking.

+ +

Code Samples

+ +

The best samples of how to use the various SSL objects are in the tests directory, and the test_ssl.py file specifically. +There are additional samples in the demo directory, but they are not quaranteed to be up to date.

+ +

NOTE: The tests and demos +may not be secure as is. Use the information above on how to make them secure.

Client certificate-based authenticationssldump

ssldump "is an SSLv3/TLS network protocol analyser. It identifies + TCP connections on the chosen network interface and attempts to interpret + them as SSLv3/TLS traffic. When it identifies SSLv3/TLS traffic, it + decodes the records and displays them in a textual form to stdout. If + provided with the appropriate keying material, it will also decrypt the + connections and display the application data traffic. +

+ +

+ If linked with OpenSSL, ssldump can display certificates in decoded form + and decrypt traffic (provided that it has the appropriate keying + material)." +

Controlling session reuse

ssldump is written by Eric Rescorla. +

- - + + -- cgit v1.2.1