On Tue, Jan 08, 2008 at 09:20:07AM +0200, Dan Kenigsberg wrote:
> On Tue, Jan 08, 2008 at 12:07:41AM +0200, Meir Kriheli wrote:
> > Dan Kenigsberg wrote:
> > >Dear List,
> > >
> > >I saw that creating an XML-RPC client-server system in python is very
> > >simple.
> > >However, when I wanted to see how to do it all over SSL, everything got
> > >complicated. I'd like the server to authenticate the client, and hopefully
> > >vice
> > >versa. What is the recommended way of doing it?
>
> > Maybe this can help (note the comments regarding a change for python 2.5):
> >
> > http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/496786
>
> Thanks, though it would be nice to understand what's wrong with the pyOpelSSL
> example.
>
> This recipe takes me a bit forward, but still does not help much because it
> does
> not give a clue on how the client should supply its certificate. (it also does
> not give means of checking the certificate on the server, but I'm guessing
> that
> this could be changed by adding
> ctx.set_verify(SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb)
> in the appropriate place)
>
> So, if anyone has an even better bit of info, please come forward.
OK. It took me a awhile to tie the loose ends, but now it works. I'll lay it out
here for the archive's sake.
First, you need to have
* openssl
* M2Crypto
* a fake truststore in the lines of
* ts/certs/ca.pem
* ts/certs/server.pem
* ts/certs/client.pem
* ts/keys/server.pem
* ts/keys/client.pem
Then, in the client, you should
ctx.set_verify(SSL.verify_peer | SSL.verify_fail_if_no_peer_cert, 16)
ctx.load_verify_locations(CACERT)
ctx.load_cert(CERTFILE, KEYFILE)
I've put a complete working example on
http://www.cs.technion.ac.il/~danken/xmlrpc-ssl.html
Regards,
--
Dan Kenigsberg http://www.cs.technion.ac.il/~danken ICQ 162180901
_______________________________________________
Python-il mailing list
[email protected]
http://hamakor.org.il/cgi-bin/mailman/listinfo/python-il
