Python and SSL

[billiejoex]

Hi,
I developed an ftp-server library and now I would like to add support
for SSL/TLS as described in RFC 2228: http://tools.ietf.org/html/rfc2228
Currenlty I'm searching for documentation about this subject and I
would like to start to ask some questions:

- I noticed that socket module provides an SSL class (socket.ssl) but
even if documentation reports that it does not do any certificate
verification a lot of stdlib modules (imaplib, poplib, smtplib,
httplib and urllib2) provides SSL extension classes wherein socket.ssl
is used. What does it mean?

- On top of that why such extension classes [examples: 1, 2, 3]
accepts key-files and cert-files as optional argouments if no
certificate verification occurs?
[1] poplib.POP3_SSL( host[, port[, keyfile[, certfile]]])
[2] imaplib.IMAP4_SSL( [host[, port[, keyfile[, certfile]]]])
[3] smtplib.starttls( [keyfile[, certfile]])

- By searching through the web I found some daemons supporting SSL
such as this one:
http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/442473
By looking at the code I notice that pyopenssl package is used and
that a certificate file is required. Why do I need to use pyopenssl
and how do I generate the cert file?

Could someone point me in the right direction?

Thanks in advance.

 

[kyosohma]

Hi,
I developed an ftp-server library and now I would like to add support
for SSL/TLS as described in RFC 2228:http://tools.ietf.org/html/rfc2228
Currenlty I'm searching for documentation about this subject and I
would like to start to ask some questions:

- I noticed that socket module provides an SSL class (socket.ssl) but
even if documentation reports that it does not do any certificate
verification a lot of stdlib modules (imaplib, poplib, smtplib,
httplib and urllib2) provides SSL extension classes wherein socket.ssl
is used. What does it mean?

- On top of that why such extension classes [examples: 1, 2, 3]
accepts key-files and cert-files as optional argouments if no
certificate verification occurs?
[1] poplib.POP3_SSL( host[, port[, keyfile[, certfile]]])
[2] imaplib.IMAP4_SSL( [host[, port[, keyfile[, certfile]]]])
[3] smtplib.starttls( [keyfile[, certfile]])

- By searching through the web I found some daemons supporting SSL
such as this one:http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/442473
By looking at the code I notice that pyopenssl package is used and
that a certificate file is required. Why do I need to use pyopenssl
and how do I generate the cert file?

Could someone point me in the right direction?

Thanks in advance.

I don't know if this will help you or not, but we use the httplib
module's "HTTPSConnection" method to connect with SSL. We use
urlencode from the urllib module to encode the username and password
we send to a server. Since I didn't write this particular bit of code,
I don't completely understand it. But I hope it will give you some
ideas.

Mike

 

[=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=]

- I noticed that socket module provides an SSL class (socket.ssl) but

even if documentation reports that it does not do any certificate
verification a lot of stdlib modules (imaplib, poplib, smtplib,
httplib and urllib2) provides SSL extension classes wherein socket.ssl
is used. What does it mean?

It means that these modules can do encrypted communication for their
respective protocol. They cannot validate that they are really talking
to the server they think they talk to (so they are prone to a
man-in-the-middle attack), however, as communication is encrypted, they
are protected against wire-tapping. Also, some servers require
encrypted connections (e.g. when passwords are transmitted), so they
can use SSL for that.

- On top of that why such extension classes [examples: 1, 2, 3]
accepts key-files and cert-files as optional argouments if no
certificate verification occurs?
[1] poplib.POP3_SSL( host[, port[, keyfile[, certfile]]])
[2] imaplib.IMAP4_SSL( [host[, port[, keyfile[, certfile]]]])
[3] smtplib.starttls( [keyfile[, certfile]])

These are client certificates. Some servers require that clients
authenticate through client certificates. This effectively avoids
man-in-the-middle attacks, as the server will validate the client's
certificate.

- By searching through the web I found some daemons supporting SSL
such as this one:
http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/442473
By looking at the code I notice that pyopenssl package is used and
that a certificate file is required. Why do I need to use pyopenssl
and how do I generate the cert file?

You can generate certificate files using the openssl command line
tool; see the openssl documentation for details.

Martin

 

[Paul Rubin]

It means that these modules can do encrypted communication for their
respective protocol. They cannot validate that they are really talking
to the server they think they talk to (so they are prone to a
man-in-the-middle attack), however, as communication is encrypted, they
are protected against wire-tapping.

Unless the wiretapper is running a man-in-the-middle attack...

 

[Steve Holden]

Unless the wiretapper is running a man-in-the-middle attack...

That's pretty unreasonable: wiretapping is normally regarded as passive
listening - when the FBI tap your wire do they try and impersonate the
people you are calling? - and Martin already explained that
man-in-the-middle was still a risk.

Why muddy the issue with this "point"?

regards
Steve