Here is my current solution:
First, I optionally obtain the client cert and set environment variables in
apache:
SSLVerifyClient optional
SSLVerifyDepth 2
SSLOptions +StdE
This allows login via browers to not require a client cert (using Auth
instead)
Then I read up on decorators and created a simple one to verify the client
IP with
the common name using the apache ssl environment in my model:
def gethostips(host, type=None):
ips = set()
if type:
types = (type,)
else:
types = (socket.AF_INET,
socket.AF_INET6)
for t in types:
try:
res = socket.getaddrinfo(host, None,
t, socket.SOCK_STREAM)
except socket.error:
continue
nips = set([x[4][0] for x in res])
ips.update(nips)
return list(ips)
# more todo...
def check_client_cert(f):
if not request.env.ssl_client_s_dn_cn is None:
for i in gethostips(request.env.ssl_client_s_dn_cn):
if i == request.env.remote_addr:
return f
return False
Now I can decorate my xmlrpc requests with:
@service.xmlrpc
@check_client_cert
def my_function(my_args):
In this way, I can customize cert checks for my application.
NOTE: If the ips do not match the client gets a trace with:
xmlrpclib.ProtocolError: <ProtocolError for
client:443/tibs1/default/call/xmlrpc: 500 INTERNAL SERVER ERROR>
My two questions are:
1. Does using decorators seem reasonable for what I'm trying to do
(i.e. any glaring security issues come to mind)?
2. Is there a better way to exit the decorator on error besides just
returning False?
I always like to leave the attacker as confused as possible ;)
Kris
On Friday, October 25, 2013 3:44:14 AM UTC-6, Michele Comitini wrote:
>
> It should be possible in combination
> with gluon/contrib/login_methods/x509_auth.py using the standard
> @auth_requires_login or checking authorization data in a model after the
> usual auth=Auth() is properly instantiated and initiated.
>
> mic
>
>
> 2013/10/25 Massimo Di Pierro <[email protected] <javascript:>>
>
>> I do not think xmlrpc can do this currently.
>> Please share your code.
>>
>>
>> On Thursday, 24 October 2013 17:40:50 UTC-5, [email protected] wrote:
>>>
>>> Hi All,
>>> I am new to python and web2py and I really like them both!
>>>
>>> Can @xmlrpc provide client side certifcate validation and
>>> actually do the hostname checks on the certificates
>>> (to prevent MITM attacks) when
>>> an application is deployed on an apache server?
>>>
>>> I ask this because web2py turned me on to the xmlrpc
>>> interface in python, and running tests there, I had to
>>> really muck with the 2.x python code to get this to
>>> work.
>>>
>>> If not, I'm very happy to cleanup my xmlrpc changes to
>>> be incorporated into web2py.
>>>
>>> Thanks in advance!
>>> Kris
>>>
>>> --
>> Resources:
>> - http://web2py.com
>> - http://web2py.com/book (Documentation)
>> - http://github.com/web2py/web2py (Source code)
>> - https://code.google.com/p/web2py/issues/list (Report Issues)
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "web2py-users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected] <javascript:>.
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
