Python and SSL

Discussion in 'Python' started by billiejoex, Apr 16, 2007.

  1. billiejoex

    billiejoex Guest

    Hi,
    I developed an ftp-server library and now I would like to add support
    for SSL/TLS as described in RFC 2228: http://tools.ietf.org/html/rfc2228
    Currenlty I'm searching for documentation about this subject and I
    would like to start to ask some questions:

    - I noticed that socket module provides an SSL class (socket.ssl) but
    even if documentation reports that it does not do any certificate
    verification a lot of stdlib modules (imaplib, poplib, smtplib,
    httplib and urllib2) provides SSL extension classes wherein socket.ssl
    is used. What does it mean?

    - On top of that why such extension classes [examples: 1, 2, 3]
    accepts key-files and cert-files as optional argouments if no
    certificate verification occurs?
    [1] poplib.POP3_SSL( host[, port[, keyfile[, certfile]]])
    [2] imaplib.IMAP4_SSL( [host[, port[, keyfile[, certfile]]]])
    [3] smtplib.starttls( [keyfile[, certfile]])

    - By searching through the web I found some daemons supporting SSL
    such as this one:
    http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/442473
    By looking at the code I notice that pyopenssl package is used and
    that a certificate file is required. Why do I need to use pyopenssl
    and how do I generate the cert file?

    Could someone point me in the right direction?

    Thanks in advance.
    billiejoex, Apr 16, 2007
    #1
    1. Advertising

  2. billiejoex

    Guest

    On Apr 16, 10:24 am, "billiejoex" <> wrote:
    > Hi,
    > I developed an ftp-server library and now I would like to add support
    > for SSL/TLS as described in RFC 2228:http://tools.ietf.org/html/rfc2228
    > Currenlty I'm searching for documentation about this subject and I
    > would like to start to ask some questions:
    >
    > - I noticed that socket module provides an SSL class (socket.ssl) but
    > even if documentation reports that it does not do any certificate
    > verification a lot of stdlib modules (imaplib, poplib, smtplib,
    > httplib and urllib2) provides SSL extension classes wherein socket.ssl
    > is used. What does it mean?
    >
    > - On top of that why such extension classes [examples: 1, 2, 3]
    > accepts key-files and cert-files as optional argouments if no
    > certificate verification occurs?
    > [1] poplib.POP3_SSL( host[, port[, keyfile[, certfile]]])
    > [2] imaplib.IMAP4_SSL( [host[, port[, keyfile[, certfile]]]])
    > [3] smtplib.starttls( [keyfile[, certfile]])
    >
    > - By searching through the web I found some daemons supporting SSL
    > such as this one:http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/442473
    > By looking at the code I notice that pyopenssl package is used and
    > that a certificate file is required. Why do I need to use pyopenssl
    > and how do I generate the cert file?
    >
    > Could someone point me in the right direction?
    >
    > Thanks in advance.


    I don't know if this will help you or not, but we use the httplib
    module's "HTTPSConnection" method to connect with SSL. We use
    urlencode from the urllib module to encode the username and password
    we send to a server. Since I didn't write this particular bit of code,
    I don't completely understand it. But I hope it will give you some
    ideas.

    Mike
    , Apr 16, 2007
    #2
    1. Advertising

  3. > - I noticed that socket module provides an SSL class (socket.ssl) but
    > even if documentation reports that it does not do any certificate
    > verification a lot of stdlib modules (imaplib, poplib, smtplib,
    > httplib and urllib2) provides SSL extension classes wherein socket.ssl
    > is used. What does it mean?


    It means that these modules can do encrypted communication for their
    respective protocol. They cannot validate that they are really talking
    to the server they think they talk to (so they are prone to a
    man-in-the-middle attack), however, as communication is encrypted, they
    are protected against wire-tapping. Also, some servers require
    encrypted connections (e.g. when passwords are transmitted), so they
    can use SSL for that.

    > - On top of that why such extension classes [examples: 1, 2, 3]
    > accepts key-files and cert-files as optional argouments if no
    > certificate verification occurs?
    > [1] poplib.POP3_SSL( host[, port[, keyfile[, certfile]]])
    > [2] imaplib.IMAP4_SSL( [host[, port[, keyfile[, certfile]]]])
    > [3] smtplib.starttls( [keyfile[, certfile]])


    These are client certificates. Some servers require that clients
    authenticate through client certificates. This effectively avoids
    man-in-the-middle attacks, as the server will validate the client's
    certificate.

    > - By searching through the web I found some daemons supporting SSL
    > such as this one:
    > http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/442473
    > By looking at the code I notice that pyopenssl package is used and
    > that a certificate file is required. Why do I need to use pyopenssl
    > and how do I generate the cert file?


    You can generate certificate files using the openssl command line
    tool; see the openssl documentation for details.

    Martin
    =?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=, Apr 16, 2007
    #3
  4. billiejoex

    Paul Rubin Guest

    "Martin v. Löwis" <> writes:
    > It means that these modules can do encrypted communication for their
    > respective protocol. They cannot validate that they are really talking
    > to the server they think they talk to (so they are prone to a
    > man-in-the-middle attack), however, as communication is encrypted, they
    > are protected against wire-tapping.


    Unless the wiretapper is running a man-in-the-middle attack...
    Paul Rubin, Apr 17, 2007
    #4
  5. billiejoex

    Steve Holden Guest

    Paul Rubin wrote:
    > "Martin v. Löwis" <> writes:
    >> It means that these modules can do encrypted communication for their
    >> respective protocol. They cannot validate that they are really talking
    >> to the server they think they talk to (so they are prone to a
    >> man-in-the-middle attack), however, as communication is encrypted, they
    >> are protected against wire-tapping.

    >
    > Unless the wiretapper is running a man-in-the-middle attack...
    >

    That's pretty unreasonable: wiretapping is normally regarded as passive
    listening - when the FBI tap your wire do they try and impersonate the
    people you are calling? - and Martin already explained that
    man-in-the-middle was still a risk.

    Why muddy the issue with this "point"?

    regards
    Steve
    --
    Steve Holden +44 150 684 7255 +1 800 494 3119
    Holden Web LLC/Ltd http://www.holdenweb.com
    Skype: holdenweb http://del.icio.us/steve.holden
    Recent Ramblings http://holdenweb.blogspot.com
    Steve Holden, Apr 17, 2007
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. 620
    Replies:
    2
    Views:
    997
    Murat Tunaboylu
    Jan 6, 2004
  2. Krzysztof Pa¼
    Replies:
    1
    Views:
    678
    Krzysztof Pa¼
    Sep 26, 2003
  3. Robert
    Replies:
    2
    Views:
    1,963
    Robert
    Jun 10, 2004
  4. John Smith
    Replies:
    0
    Views:
    380
    John Smith
    Oct 5, 2006
  5. Pavel Smerk
    Replies:
    3
    Views:
    140
    Michal Suchanek
    Aug 15, 2006
Loading...

Share This Page