Re: SSL/TLS support in Pyro4
On 2017-08-04 17:11, Robin Becker wrote: > On 04/08/2017 15:12, Irmen de Jong wrote: >> On 04/08/2017 15:44, Robin Becker wrote: > .. >> You can specify a CAcert using load_verify_locations on the ssl >> context. Is that what >> you meant? I figured out that if you set that to the peer's >> certificate it will then be > > yes I think so. Certainly the self signed certs I tried with python3 > urllib seemed to require valid hostnames. If I just use this as server > > > from http.server import HTTPServer, BaseHTTPRequestHandler, > SimpleHTTPRequestHandler > import ssl > > > httpd = HTTPServer(('localhost', 4443), SimpleHTTPRequestHandler) > > httpd.socket = ssl.wrap_socket (httpd.socket, > keyfile="/home/rptlab/tmp/key.pem", > certfile='/home/rptlab/tmp/cert.pem', server_side=True) > > httpd.serve_forever() > > and this as requester > > from urllib import request > req = request.urlopen('https://localhost:4443', >cafile='/home/rptlab/tmp/cert.pem') > print(req.read()) > > > then provided the self signed cert has the name localhost requests can > be made OK. > > I'm guessing this would also work OK if the cert had multiple names > embedded in it which would allow a small cluster to be used. > > I don't know which part of the socket does the host name checking, but > perhaps that can be turned off somewhere. This approach works but requires a carefully crafted certificate. The certificate must be a valid CA and EE certificate at the same time. Either you must not include any X509v3 extensions or correctly pick the right combination of BasicConstraint, Key Usage and Extended Key Usage. For my tests I use my own project CA. For example https://github.com/latchset/custodia/tree/master/tests/ca/ contains a script to generate a CA and two EE certs. The server cert is valid for localhost and 127.0.0.1. You can easily extend the configuration to include one or multiple intermediate CAs. Christian -- https://mail.python.org/mailman/listinfo/python-list
Re: SSL/TLS support in Pyro4
On 04/08/2017 15:12, Irmen de Jong wrote: On 04/08/2017 15:44, Robin Becker wrote: .. You can specify a CAcert using load_verify_locations on the ssl context. Is that what you meant? I figured out that if you set that to the peer's certificate it will then be yes I think so. Certainly the self signed certs I tried with python3 urllib seemed to require valid hostnames. If I just use this as server from http.server import HTTPServer, BaseHTTPRequestHandler, SimpleHTTPRequestHandler import ssl httpd = HTTPServer(('localhost', 4443), SimpleHTTPRequestHandler) httpd.socket = ssl.wrap_socket (httpd.socket, keyfile="/home/rptlab/tmp/key.pem", certfile='/home/rptlab/tmp/cert.pem', server_side=True) httpd.serve_forever() and this as requester from urllib import request req = request.urlopen('https://localhost:4443', cafile='/home/rptlab/tmp/cert.pem') print(req.read()) then provided the self signed cert has the name localhost requests can be made OK. I'm guessing this would also work OK if the cert had multiple names embedded in it which would allow a small cluster to be used. I don't know which part of the socket does the host name checking, but perhaps that can be turned off somewhere. accepted. I understand it as much as "hey openssl here is a root cert that you should trust if you encounter it". Without doing this, the cert is denied on the SSL level (unless you set the ssl options to no-cert-required but that is definitely not what I wanted) Bottom line is I learned something new :) And also that Python's standard ssl library isn't as bad as I remember it to be a few years ago. Is there still a reason to use, say, PyOpenSSL anymore? it's getting better any how. Irmen -- Robin Becker -- https://mail.python.org/mailman/listinfo/python-list
Re: SSL/TLS support in Pyro4
On 04/08/2017 15:44, Robin Becker wrote: > .. >> >> Hi Robin >> >> I am not sure how this is any benefit over the self-signed root certs that I >> now use? >> >> Except for the fact that these are a root cert as well and don't use any CA >> trust chain. >> To be able to validate this cert, I have to load it as a CA cert on the >> validating side. >> Which isn't bad perse. >> >> I've used openssl as mentioned here to create my certs: >> https://docs.python.org/3.7/library/ssl.html#self-signed-certificates > .Welle I was thinking perhaps you had trouble with self signed certs > for some > reason. I only used CA type setup because some recipe for mongo clusters > seems to want > that. I think the mariadb clusters were fine with simple self signed certs. > However, if > I control the cluster can I not just distribute the cert to all members and > have them > validate it against itself or does python refuse to do that? I vaguely > remember some > python apis allow the authority chain to be specified. You can specify a CAcert using load_verify_locations on the ssl context. Is that what you meant? I figured out that if you set that to the peer's certificate it will then be accepted. I understand it as much as "hey openssl here is a root cert that you should trust if you encounter it". Without doing this, the cert is denied on the SSL level (unless you set the ssl options to no-cert-required but that is definitely not what I wanted) Bottom line is I learned something new :) And also that Python's standard ssl library isn't as bad as I remember it to be a few years ago. Is there still a reason to use, say, PyOpenSSL anymore? Irmen -- https://mail.python.org/mailman/listinfo/python-list
Re: SSL/TLS support in Pyro4
.. Hi Robin I am not sure how this is any benefit over the self-signed root certs that I now use? Except for the fact that these are a root cert as well and don't use any CA trust chain. To be able to validate this cert, I have to load it as a CA cert on the validating side. Which isn't bad perse. I've used openssl as mentioned here to create my certs: https://docs.python.org/3.7/library/ssl.html#self-signed-certificates .Welle I was thinking perhaps you had trouble with self signed certs for some reason. I only used CA type setup because some recipe for mongo clusters seems to want that. I think the mariadb clusters were fine with simple self signed certs. However, if I control the cluster can I not just distribute the cert to all members and have them validate it against itself or does python refuse to do that? I vaguely remember some python apis allow the authority chain to be specified. -- Robin Becker -- https://mail.python.org/mailman/listinfo/python-list
Re: SSL/TLS support in Pyro4
On 03/08/2017 20:30, Irmen de Jong wrote: > Alternatively, is there a cheap way to get an 'official' SSL certificate for > testing > purposes. I don't think letsencrypt can help here because it is only for web > sites? > (and their certs are only valid for a very short period) With some host file trickery (had to fool my dev machine into thinking it is my web server) I managed to get it all to work with a letsencrypt cert as well. Irmen -- https://mail.python.org/mailman/listinfo/python-list
Re: SSL/TLS support in Pyro4
On 04/08/2017 10:26, Robin Becker wrote: > On 03/08/2017 19:30, Irmen de Jong wrote: > . >> >> I wonder if any current (or new) users of Pyro4 want to check this out? The >> biggest >> concern I have is that I only have dummy (self-signed) certificates so I >> can't test it >> with "real" certs to see if the validation works correctly. > .. > > I've used self created authorities with mariadb and mongo to secure local > clusters. > Could this provide private secure certs for pyro? Hi Robin I am not sure how this is any benefit over the self-signed root certs that I now use? Except for the fact that these are a root cert as well and don't use any CA trust chain. To be able to validate this cert, I have to load it as a CA cert on the validating side. Which isn't bad perse. I've used openssl as mentioned here to create my certs: https://docs.python.org/3.7/library/ssl.html#self-signed-certificates Irmen -- https://mail.python.org/mailman/listinfo/python-list
Re: SSL/TLS support in Pyro4
On 03/08/2017 19:30, Irmen de Jong wrote: . I wonder if any current (or new) users of Pyro4 want to check this out? The biggest concern I have is that I only have dummy (self-signed) certificates so I can't test it with "real" certs to see if the validation works correctly. .. I've used self created authorities with mariadb and mongo to secure local clusters. Could this provide private secure certs for pyro? -- Robin Becker -- https://mail.python.org/mailman/listinfo/python-list
SSL/TLS support in Pyro4
Hi, Pyro4 (http://pyro4.readthedocs.io) allows you to call methods on Python objects running on other machines, as if they were just normal local objects. Regarding the network communication: it hasn't got any real security mechanisms built-in and always explicitly depended on external tools or systems to provide this (such as VPN or SSL tunneling). Until now: I've finally started adding SSL/TLS support to Pyro4 itself. The work-in-progress 4.62 version has it (git master branch). Docs are still lacking right now but there is a working ssl example included. I wonder if any current (or new) users of Pyro4 want to check this out? The biggest concern I have is that I only have dummy (self-signed) certificates so I can't test it with "real" certs to see if the validation works correctly. Alternatively, is there a cheap way to get an 'official' SSL certificate for testing purposes. I don't think letsencrypt can help here because it is only for web sites? (and their certs are only valid for a very short period) Cheers Irmen de Jong -- https://mail.python.org/mailman/listinfo/python-list