ssl server

[Seb]

I'm making a ssl server, but I'm not sure how I can verify the
clients. What do I actually need to place in _verify to actually
verify that the client cert is signed by me?

50 class SSLTCPServer(TCPServer):
51 keyFile = "sslcert/server.key"
52 certFile = "sslcert/server.crt"
53 def __init__(self, server_address, RequestHandlerClass):
54 ctx = SSL.Context(SSL.SSLv23_METHOD)
55 ctx.use_privatekey_file(self.keyFile)
56 ctx.use_certificate_file(self.certFile)
57 ctx.set_verify(SSL.VERIFY_PEER |
SSL.VERIFY_FAIL_IF_NO_PEER_CERT | SSL.VERIFY_CLIENT_ONCE,
self._verify)
58 ctx.set_verify_depth(10)
59 ctx.set_session_id('DFS')
60
61 self.server_address = server_address
62 self.RequestHandlerClass = RequestHandlerClass
63 self.socket = socket.socket(self.address_family,
self.socket_type)
64 self.socket = SSL.Connection(ctx, self.socket)
65 self.socket.bind(self.server_address)
66 self.socket.listen(self.request_queue_size)
67
68 def _verify(self, conn, cert, errno, depth, retcode):
69 return not cert.has_expired() and
cert.get_issuer().organizationName == 'DFS'

 

[Giampaolo Rodola']

I'm making a ssl server, but I'm not sure how I can verify the
clients. What do I actually need to place in _verify to actually
verify that the client cert is signed by me?

 50 class SSLTCPServer(TCPServer):
 51         keyFile = "sslcert/server.key"
 52         certFile = "sslcert/server.crt"
 53         def __init__(self, server_address, RequestHandlerClass):
 54                 ctx = SSL.Context(SSL.SSLv23_METHOD)
 55                 ctx.use_privatekey_file(self.keyFile)
 56                 ctx.use_certificate_file(self.certFile)
 57                 ctx.set_verify(SSL.VERIFY_PEER |
SSL.VERIFY_FAIL_IF_NO_PEER_CERT | SSL.VERIFY_CLIENT_ONCE,
self._verify)
 58                 ctx.set_verify_depth(10)
 59                 ctx.set_session_id('DFS')
 60
 61                 self.server_address = server_address
 62                 self.RequestHandlerClass = RequestHandlerClass
 63                 self.socket = socket.socket(self.address_family,
self.socket_type)
 64                 self.socket = SSL.Connection(ctx, self.socket)
 65                 self.socket.bind(self.server_address)
 66                 self.socket.listen(self.request_queue_size)
 67
 68         def _verify(self, conn, cert, errno, depth, retcode):
 69                 return not cert.has_expired() and
cert.get_issuer().organizationName == 'DFS'

What library are you using? PyOpenSSL?
In that case I think you'll have more luck by posting on their mailing
list.


--- Giampaolo
http://code.google.com/p/pyftpdlib/

 

[Michael Palmer]

I'm making a ssl server, but I'm not sure how I can verify the
clients. What do I actually need to place in _verify to actually
verify that the client cert is signed by me?

50 class SSLTCPServer(TCPServer):
51 keyFile = "sslcert/server.key"
52 certFile = "sslcert/server.crt"
53 def __init__(self, server_address, RequestHandlerClass):
54 ctx = SSL.Context(SSL.SSLv23_METHOD)
55 ctx.use_privatekey_file(self.keyFile)
56 ctx.use_certificate_file(self.certFile)
57 ctx.set_verify(SSL.VERIFY_PEER |
SSL.VERIFY_FAIL_IF_NO_PEER_CERT | SSL.VERIFY_CLIENT_ONCE,
self._verify)
58 ctx.set_verify_depth(10)
59 ctx.set_session_id('DFS')
60
61 self.server_address = server_address
62 self.RequestHandlerClass = RequestHandlerClass
63 self.socket = socket.socket(self.address_family,
self.socket_type)
64 self.socket = SSL.Connection(ctx, self.socket)
65 self.socket.bind(self.server_address)
66 self.socket.listen(self.request_queue_size)
67
68 def _verify(self, conn, cert, errno, depth, retcode):
69 return not cert.has_expired() and
cert.get_issuer().organizationName == 'DFS'

If I were you, I would just just hide behind apache, nginx oder
another server that does ssl. just have that server proxy locally to
your python server over http, and firewall the python server port.

 

[Seb]

What library are you using? PyOpenSSL?
In that case I think you'll have more luck by posting on their mailing
list.

Thanks, I did that and it worked.

 

[Seb]

If I were you, I would just just hide behind apache, nginx oder
another server that does ssl. just have that server proxy locally to
your python server over http, and firewall the python server port.

Good idea, however atm this is a school project so thats not really an
option right now. However I might take this a bit furtherer and use
that solution.

 

[Seb]

I'm making a ssl server, but I'm not sure how I can verify the
clients. What do I actually need to place in _verify to actually
verify that the client cert is signed by me?

 50 class SSLTCPServer(TCPServer):
 51         keyFile = "sslcert/server.key"
 52         certFile = "sslcert/server.crt"
 53         def __init__(self, server_address, RequestHandlerClass):
 54                 ctx = SSL.Context(SSL.SSLv23_METHOD)
 55                 ctx.use_privatekey_file(self.keyFile)
 56                 ctx.use_certificate_file(self.certFile)
 57                 ctx.set_verify(SSL.VERIFY_PEER |
SSL.VERIFY_FAIL_IF_NO_PEER_CERT | SSL.VERIFY_CLIENT_ONCE,
self._verify)
 58                 ctx.set_verify_depth(10)
 59                 ctx.set_session_id('DFS')
 60
 61                 self.server_address = server_address
 62                 self.RequestHandlerClass = RequestHandlerClass
 63                 self.socket = socket.socket(self.address_family,
self.socket_type)
 64                 self.socket = SSL.Connection(ctx, self.socket)
 65                 self.socket.bind(self.server_address)
 66                 self.socket.listen(self.request_queue_size)
 67
 68         def _verify(self, conn, cert, errno, depth, retcode):
 69                 return not cert.has_expired() and
cert.get_issuer().organizationName == 'DFS'

Simply return retcode and it will work... assuming you have the certs
setup properly.