python xmlrpc client with ssl client certificates and standard modules

Discussion in 'Python' started by News123, Jan 4, 2010.

  1. News123

    News123 Guest

    Hi,

    I was googling fot quite some time and was not really succesfull.

    I found one solution, which I will try soon.
    It is
    http://www.cs.technion.ac.il/~danken/xmlrpc-ssl.html
    (found in
    http://hamakor.org.il/pipermail/python-il/2008-February/000029.html )

    This will probably work, but it requires the module M2Crypto.

    In order to avoid installing M2Crypto an all hosts that want to run the
    script I wondered, whether there is no other solution.

    I can do xmlrpc over ssl WITHOUT certificates with following code:

    import xmlrpclib
    server_url = 'https://myserver'
    server = xmlrpclib.Server(server_url);


    and I can perform a https get request WITH certificates with below snippet:

    import httplib
    conn = httplib.HTTPSConnection(
    HOSTNAME,
    key_file = KEYFILE,
    cert_file = CERTFILE
    )
    conn.putrequest('GET', '/')
    conn.endheaders()
    response = conn.getresponse()
    print response.read()


    I'm just lost of how to 'combine' both.


    Thanks in advance for any suggestions / hints




    N
    News123, Jan 4, 2010
    #1
    1. Advertising

  2. News123

    mdipierro Guest

    Re: python xmlrpc client with ssl client certificates and standardmodules

    xmlrpc acts at the application layer and ssl at the transport layer so
    they can inter operate easily as long as you do not use the
    certificate to authenticate the client but only validate the server
    and encrypt data (which you can also do but it is more complicated)

    One option for you is to use web2py which include an xmlrpc server
    that uses a wsgi ssl enabled web server.

    Here is how:

    1) Install web2py
    2) Visit http://127.0.0.1:8000/admin and create a new application from
    the web based IDE
    3) create your web service for example, in a controller default.py

    @service.xmlrpc
    def add(a,b): return int(a)+int(b)

    4) Restart web2py with

    python web2py.py -a ADMIN_PASSWD -c SSL_CERTIFICATE -k
    SSL_PRIVATE_KEY -i 0.0.0.0 -p 443

    5) You can now access the service from any Python program:

    >>> import xmlrpclib
    >>> server_url = 'https://myserver:443/yourapp/default/call/

    xmlrpc'
    >>> server = xmlrpclib.Server(server_url)
    >>> print server.add(3,4)

    7

    Hope this helps.



    On Jan 3, 8:12 pm, News123 <> wrote:
    > Hi,
    >
    > I was googling fot quite some time and was not really succesfull.
    >
    > I found one solution, which I will try soon.
    > It ishttp://www.cs.technion.ac.il/~danken/xmlrpc-ssl.html
    > (found inhttp://hamakor.org.il/pipermail/python-il/2008-February/000029.html)
    >
    > This will probably work, but it requires the module M2Crypto.
    >
    > In order to avoid installing M2Crypto an all hosts that want to run the
    > script I wondered, whether there is no other solution.
    >
    > I can do xmlrpc over ssl WITHOUT certificates with following code:
    >
    > import xmlrpclib
    > server_url = 'https://myserver'
    > server = xmlrpclib.Server(server_url);
    >
    > and I can perform a https get request WITH certificates with below snippet:
    >
    > import httplib
    > conn = httplib.HTTPSConnection(
    >         HOSTNAME,
    >         key_file = KEYFILE,
    >         cert_file = CERTFILE
    > )
    > conn.putrequest('GET', '/')
    > conn.endheaders()
    > response = conn.getresponse()
    > print response.read()
    >
    > I'm just lost of how to 'combine' both.
    >
    > Thanks in advance for any suggestions / hints
    >
    > N
    mdipierro, Jan 4, 2010
    #2
    1. Advertising

  3. News123

    News123 Guest

    Re: python xmlrpc client with ssl client certificates and standardmodules

    Thanks for your answer.


    I'll look at web2py.

    However web2py seems to address the xmlrpc server (at least in your
    example). The xmlrpc server application exists alerady and requires a
    client certificate.

    The client example doesn't seem to be using a certificate.

    So I'll be reading a little into web2py.


    bye


    N


    mdipierro wrote:
    > xmlrpc acts at the application layer and ssl at the transport layer so
    > they can inter operate easily as long as you do not use the
    > certificate to authenticate the client but only validate the server
    > and encrypt data (which you can also do but it is more complicated)
    >
    > One option for you is to use web2py which include an xmlrpc server
    > that uses a wsgi ssl enabled web server.
    >
    > Here is how:
    >
    > 1) Install web2py
    > 2) Visit http://127.0.0.1:8000/admin and create a new application from
    > the web based IDE
    > 3) create your web service for example, in a controller default.py
    >
    > @service.xmlrpc
    > def add(a,b): return int(a)+int(b)
    >
    > 4) Restart web2py with
    >
    > python web2py.py -a ADMIN_PASSWD -c SSL_CERTIFICATE -k
    > SSL_PRIVATE_KEY -i 0.0.0.0 -p 443
    >
    > 5) You can now access the service from any Python program:
    >
    > >>> import xmlrpclib
    > >>> server_url = 'https://myserver:443/yourapp/default/call/

    > xmlrpc'
    > >>> server = xmlrpclib.Server(server_url)
    > >>> print server.add(3,4)

    > 7
    >
    > Hope this helps.
    >
    >
    >
    > On Jan 3, 8:12 pm, News123 <> wrote:
    >> Hi,
    >>
    >> I was googling fot quite some time and was not really succesfull.
    >>
    >> I found one solution, which I will try soon.
    >> It ishttp://www.cs.technion.ac.il/~danken/xmlrpc-ssl.html
    >> (found inhttp://hamakor.org.il/pipermail/python-il/2008-February/000029.html)
    >>
    >> This will probably work, but it requires the module M2Crypto.
    >>
    >> In order to avoid installing M2Crypto an all hosts that want to run the
    >> script I wondered, whether there is no other solution.
    >>
    >> I can do xmlrpc over ssl WITHOUT certificates with following code:
    >>
    >> import xmlrpclib
    >> server_url = 'https://myserver'
    >> server = xmlrpclib.Server(server_url);
    >>
    >> and I can perform a https get request WITH certificates with below snippet:
    >>
    >> import httplib
    >> conn = httplib.HTTPSConnection(
    >> HOSTNAME,
    >> key_file = KEYFILE,
    >> cert_file = CERTFILE
    >> )
    >> conn.putrequest('GET', '/')
    >> conn.endheaders()
    >> response = conn.getresponse()
    >> print response.read()
    >>
    >> I'm just lost of how to 'combine' both.
    >>
    >> Thanks in advance for any suggestions / hints
    >>
    >> N

    >
    News123, Jan 4, 2010
    #3
  4. News123

    mdipierro Guest

    Re: python xmlrpc client with ssl client certificates and standardmodules

    If it is a client problem than web2py will be on help.

    If your server is written already you may be able to use it with the
    ssl cherrypy wsgi server (the one that web2py uses) and you do not
    need web2py at all.

    Massimo

    On Jan 4, 3:38 am, News123 <> wrote:
    > Thanks for your answer.
    >
    > I'll look at web2py.
    >
    > However web2py seems to address the xmlrpc server (at least in your
    > example). The xmlrpc server application exists alerady and requires a
    > client certificate.
    >
    > The client example doesn't seem to be using a certificate.
    >
    > So I'll be reading a little into web2py.
    >
    > bye
    >
    > N
    >
    > mdipierro wrote:
    > > xmlrpc acts at the application layer and ssl at the transport layer so
    > > they can inter operate easily as long as you do not use the
    > > certificate to authenticate the client but only validate the server
    > > and encrypt data (which you can also do but it is more complicated)

    >
    > > One option for you is to use web2py which include an xmlrpc server
    > > that uses a wsgi ssl enabled web server.

    >
    > > Here is how:

    >
    > > 1) Install web2py
    > > 2) Visithttp://127.0.0.1:8000/adminand create a new application from
    > > the web based IDE
    > > 3) create your web service for example, in a controller default.py

    >
    > >      @service.xmlrpc
    > >      def add(a,b): return int(a)+int(b)

    >
    > > 4) Restart web2py with

    >
    > >      python web2py.py -a ADMIN_PASSWD -c SSL_CERTIFICATE -k
    > > SSL_PRIVATE_KEY -i 0.0.0.0 -p 443

    >
    > > 5) You can now access the service from any Python program:

    >
    > >      >>> import xmlrpclib
    > >      >>> server_url = 'https://myserver:443/yourapp/default/call/
    > > xmlrpc'
    > >      >>> server = xmlrpclib.Server(server_url)
    > >      >>> print server.add(3,4)
    > >      7

    >
    > > Hope this helps.

    >
    > > On Jan 3, 8:12 pm, News123 <> wrote:
    > >> Hi,

    >
    > >> I was googling fot quite some time and was not really succesfull.

    >
    > >> I found one solution, which I will try soon.
    > >> It ishttp://www.cs.technion.ac.il/~danken/xmlrpc-ssl.html
    > >> (found inhttp://hamakor.org.il/pipermail/python-il/2008-February/000029.html)

    >
    > >> This will probably work, but it requires the module M2Crypto.

    >
    > >> In order to avoid installing M2Crypto an all hosts that want to run the
    > >> script I wondered, whether there is no other solution.

    >
    > >> I can do xmlrpc over ssl WITHOUT certificates with following code:

    >
    > >> import xmlrpclib
    > >> server_url = 'https://myserver'
    > >> server = xmlrpclib.Server(server_url);

    >
    > >> and I can perform a https get request WITH certificates with below snippet:

    >
    > >> import httplib
    > >> conn = httplib.HTTPSConnection(
    > >>         HOSTNAME,
    > >>         key_file = KEYFILE,
    > >>         cert_file = CERTFILE
    > >> )
    > >> conn.putrequest('GET', '/')
    > >> conn.endheaders()
    > >> response = conn.getresponse()
    > >> print response.read()

    >
    > >> I'm just lost of how to 'combine' both.

    >
    > >> Thanks in advance for any suggestions / hints

    >
    > >> N

    >
    >
    mdipierro, Jan 4, 2010
    #4
  5. News123

    News123 Guest

    Re: python xmlrpc client with ssl client certificates and standardmodules

    Hi Massimo,


    I'm still a litle confused:

    My setup:

    server host:
    ------------
    apache, php with an xmlrpc server interface.
    no python installed.


    multiple client hosts (linux / windows only default python installed)
    -----------------------------------------------------------------------
    an existing python script performing an xmlrpc call to the server host.
    The current working (without certificates) code snippet is:

    import xmlrpclib
    server_url = 'https://myserver'
    server = xmlrpclib.Server(server_url);
    result = server.myfunction(args)





    The whole setup is working as long as no client certificates are imposed
    by the server.
    The whole setup is not working as soon as the server is configured to
    accept only a given set of SSL-client certificates.



    My question is how to change above four line code snippet, such, that a
    client certificate will be sent to the xmlrpc server
    asuming the variables
    CLIENT_KEY_FILE and CLIENT_CRT_FILE are defined and pointing to the
    client certificate files.


    I hope to have more time tomorrow to check out the option,
    that I found and the option, that you suggest.

    option 1:
    http://www.cs.technion.ac.il/~danken/xmlrpc-ssl.html
    ( with non standard py module M2Crypto )

    option 2:
    or web2py, which at first (so far no second) glance seems more
    to be targeted at implementing server side application with ajax
    or the client side.


    thanks again and bye


    N







    mdipierro wrote:
    > If it is a client problem than web2py will be on help.
    >
    > If your server is written already you may be able to use it with the
    > ssl cherrypy wsgi server (the one that web2py uses) and you do not
    > need web2py at all.
    >
    > Massimo
    >
    > On Jan 4, 3:38 am, News123 <> wrote:
    >> Thanks for your answer.
    >>
    >> I'll look at web2py.
    >>
    >> However web2py seems to address the xmlrpc server (at least in your
    >> example). The xmlrpc server application exists alerady and requires a
    >> client certificate.
    >>
    >> The client example doesn't seem to be using a certificate.
    >>
    >> So I'll be reading a little into web2py.
    >>
    >> bye
    >>
    >> N
    >>
    >> mdipierro wrote:
    >>> xmlrpc acts at the application layer and ssl at the transport layer so
    >>> they can inter operate easily as long as you do not use the
    >>> certificate to authenticate the client but only validate the server
    >>> and encrypt data (which you can also do but it is more complicated)
    >>> One option for you is to use web2py which include an xmlrpc server
    >>> that uses a wsgi ssl enabled web server.
    >>> Here is how:
    >>> 1) Install web2py
    >>> 2) Visithttp://127.0.0.1:8000/adminand create a new application from
    >>> the web based IDE
    >>> 3) create your web service for example, in a controller default.py
    >>> @service.xmlrpc
    >>> def add(a,b): return int(a)+int(b)
    >>> 4) Restart web2py with
    >>> python web2py.py -a ADMIN_PASSWD -c SSL_CERTIFICATE -k
    >>> SSL_PRIVATE_KEY -i 0.0.0.0 -p 443
    >>> 5) You can now access the service from any Python program:
    >>> >>> import xmlrpclib
    >>> >>> server_url = 'https://myserver:443/yourapp/default/call/
    >>> xmlrpc'
    >>> >>> server = xmlrpclib.Server(server_url)
    >>> >>> print server.add(3,4)
    >>> 7
    >>> Hope this helps.
    >>> On Jan 3, 8:12 pm, News123 <> wrote:
    >>>> Hi,
    >>>> I was googling fot quite some time and was not really succesfull.
    >>>> I found one solution, which I will try soon.
    >>>> It ishttp://www.cs.technion.ac.il/~danken/xmlrpc-ssl.html
    >>>> (found inhttp://hamakor.org.il/pipermail/python-il/2008-February/000029.html)
    >>>> This will probably work, but it requires the module M2Crypto.
    >>>> In order to avoid installing M2Crypto an all hosts that want to run the
    >>>> script I wondered, whether there is no other solution.
    >>>> I can do xmlrpc over ssl WITHOUT certificates with following code:
    >>>> import xmlrpclib
    >>>> server_url = 'https://myserver'
    >>>> server = xmlrpclib.Server(server_url);
    >>>> and I can perform a https get request WITH certificates with below snippet:
    >>>> import httplib
    >>>> conn = httplib.HTTPSConnection(
    >>>> HOSTNAME,
    >>>> key_file = KEYFILE,
    >>>> cert_file = CERTFILE
    >>>> )
    >>>> conn.putrequest('GET', '/')
    >>>> conn.endheaders()
    >>>> response = conn.getresponse()
    >>>> print response.read()
    >>>> I'm just lost of how to 'combine' both.
    >>>> Thanks in advance for any suggestions / hints
    >>>> N

    >>

    >
    News123, Jan 4, 2010
    #5
  6. Re: python xmlrpc client with ssl client certificates and standardmodules

    > I can do xmlrpc over ssl WITHOUT certificates with following code:
    >
    > import xmlrpclib
    > server_url = 'https://myserver'
    > server = xmlrpclib.Server(server_url);
    >
    >
    > and I can perform a https get request WITH certificates with below snippet:
    >
    > import httplib
    > conn = httplib.HTTPSConnection(
    > HOSTNAME,
    > key_file = KEYFILE,
    > cert_file = CERTFILE
    > )
    > conn.putrequest('GET', '/')
    > conn.endheaders()
    > response = conn.getresponse()
    > print response.read()
    >
    >
    > I'm just lost of how to 'combine' both.


    In this case, read through the source of xmlrpclib:

    a) SafeTransport receives x509 parameters from get_host_info
    b) get_host_info supports a case where host is a tuple host, x509

    So, without testing:

    server = xmlrpclib.Server((server_url, {'key_file': KEYFILE,
    'cert_file': CERTFILE}))

    Please do read the code before trying this out.

    HTH,
    Martin
    Martin v. Loewis, Jan 4, 2010
    #6
  7. News123

    News123 Guest

    Re: python xmlrpc client with ssl client certificates and standardmodules

    Hi Martin,

    Thanks a lot for your reply.
    It helped me to find the correct solution.

    Unfortunaltely xmlrpclib.ServerProxy does not allow a host tuple, but
    just a uri.

    So the simplest solution, that I found is to create a custom transport


    import xmlrpclib

    class SafeTransportWithCert(xmlrpclib.SafeTransport):
    __cert_file = DFLT_CERTFILE
    __key_file = DFLT_KEYFILE
    def make_connection(self,host):
    host_with_cert = (host, {
    'key_file' : self.__key_file,
    'cert_file' : self.__cert_file
    } )
    return \
    xmlrpclib.SafeTransport.make_connection(
    self,host_with_cert)


    transport = SafeTransportWithCert()
    server = xmlrpclib.ServerProxy(server_url,
    transport = transport)

    rslt = server.mymethod(args)


    Perfect.
    Now the server can ensure, that only certified clients connect.

    My next task is how to find out at the client side, that the server
    certificate is a properly signed one.

    bye


    N


    Martin v. Loewis wrote:
    >> I can do xmlrpc over ssl WITHOUT certificates with following code:
    >>
    >> import xmlrpclib
    >> server_url = 'https://myserver'
    >> server = xmlrpclib.Server(server_url);
    >>
    >>
    >> and I can perform a https get request WITH certificates with below snippet:
    >>
    >> import httplib
    >> conn = httplib.HTTPSConnection(
    >> HOSTNAME,
    >> key_file = KEYFILE,
    >> cert_file = CERTFILE
    >> )
    >> conn.putrequest('GET', '/')
    >> conn.endheaders()
    >> response = conn.getresponse()
    >> print response.read()
    >>
    >>
    >> I'm just lost of how to 'combine' both.

    >
    > In this case, read through the source of xmlrpclib:
    >
    > a) SafeTransport receives x509 parameters from get_host_info
    > b) get_host_info supports a case where host is a tuple host, x509
    >
    > So, without testing:
    >
    > server = xmlrpclib.Server((server_url, {'key_file': KEYFILE,
    > 'cert_file': CERTFILE}))
    >
    > Please do read the code before trying this out.
    >
    > HTH,
    > Martin
    News123, Jan 5, 2010
    #7
  8. Re: python xmlrpc client with ssl client certificates and standardmodules

    News123 wrote:
    > This will probably work, but it requires the module M2Crypto.
    >
    > In order to avoid installing M2Crypto an all hosts that want to run the
    > script I wondered, whether there is no other solution.
    >
    > I can do xmlrpc over ssl WITHOUT certificates with following code:

    [...]

    Please note that if you just use the stdlib it is not secure out of the
    box. With Python 2.6 and the ssl module you can make it so, but it
    requires some work on your part. See for example
    http://www.heikkitoivonen.net/blog/2008/10/14/ssl-in-python-26/

    --
    Heikki Toivonen - http://heikkitoivonen.net
    Heikki Toivonen, Jan 6, 2010
    #8
  9. Re: python xmlrpc client with ssl client certificates and standardmodules

    > My next task is how to find out at the client side, that the server
    > certificate is a properly signed one.


    As Heikki says, you'll need Python 2.6 for that. You'll probably need to
    extend your transport implementation.

    Regards,
    Martin
    Martin v. Loewis, Jan 6, 2010
    #9
  10. News123

    vilas

    Joined:
    Feb 15, 2012
    Messages:
    1
    My question is to mdipierro.
    I am using web2py. We have one web service in .NET. In order to access that service we need to pass certificate to that service. How do I do it in Web2py?
    I have Windows 7 operating system and .cer certificate is installed on my machine. I am using pysimplesoap library but there is no provision given to send certificate. I have also tried your solution in this thread which is

    python web2py.py -a ADMIN_PASSWD -c SSL_CERTIFICATE -k
    SSL_PRIVATE_KEY -i 0.0.0.0 -p 443

    as I have only one cer file I am using only that file here. But this is also not working and I am getting Forbidden error message here. Please help.
    vilas, Feb 15, 2012
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Krishna
    Replies:
    0
    Views:
    386
    Krishna
    May 17, 2004
  2. Krishna
    Replies:
    1
    Views:
    3,586
    Krishna
    May 19, 2004
  3. Charles Goehring
    Replies:
    0
    Views:
    1,069
    Charles Goehring
    May 20, 2004
  4. Etienne Posthumus
    Replies:
    1
    Views:
    1,098
    Roger Binns
    Apr 1, 2004
  5. n33470

    Are SSL certificates and x.509 certificates the same?

    n33470, Dec 14, 2005, in forum: ASP .Net Web Services
    Replies:
    0
    Views:
    177
    n33470
    Dec 14, 2005
Loading...

Share This Page