ssl server

**Giampaolo Rodola'** · Sep 17 '08, 08:55 PM

Re: ssl server

On 17 Set, 19:33, Seb <sebastianthegr eat...@gmail.co mwrote:

I'm making a ssl server, but I'm not sure how I can verify the
clients. What do I actually need to place in _verify to actually
verify that the client cert is signed by me?
>
50 class SSLTCPServer(TC PServer):
51 keyFile = "sslcert/server.key"
52 certFile = "sslcert/server.crt"
53 def __init__(self, server_address, RequestHandlerC lass):
54 ctx = SSL.Context(SSL .SSLv23_METHOD)
55 ctx.use_private key_file(self.k eyFile)
56 ctx.use_certifi cate_file(self. certFile)
57 ctx.set_verify( SSL.VERIFY_PEER |
SSL.VERIFY_FAIL _IF_NO_PEER_CER T | SSL.VERIFY_CLIE NT_ONCE,
self._verify)
58 ctx.set_verify_ depth(10)
59 ctx.set_session _id('DFS')
60
61 self.server_add ress = server_address
62 self.RequestHan dlerClass = RequestHandlerC lass
63 self.socket = socket.socket(s elf.address_fam ily,
self.socket_typ e)
64 self.socket = SSL.Connection( ctx,self.socket )
65 self.socket.bin d(self.server_a ddress)
66 self.socket.lis ten(self.reques t_queue_size)
67
68 def _verify(self, conn, cert, errno, depth, retcode):
69 return not cert.has_expire d() and
cert.get_issuer ().organization Name == 'DFS'

What library are you using? PyOpenSSL?
In that case I think you'll have more luck by posting on their mailing
list.

--- Giampaolo

GitHub - giampaolo/pyftpdlib: Extremely fast and scalable Python FTP server library

http://code.google.com/p/pyftpdlib/

Extremely fast and scalable Python FTP server library - giampaolo/pyftpdlib

**Michael Palmer** · Sep 17 '08, 11:15 PM

Re: ssl server

On Sep 17, 1:33 pm, Seb <sebastianthegr eat...@gmail.co mwrote:

I'm making a ssl server, but I'm not sure how I can verify the
clients. What do I actually need to place in _verify to actually
verify that the client cert is signed by me?
>
50 class SSLTCPServer(TC PServer):
51 keyFile = "sslcert/server.key"
52 certFile = "sslcert/server.crt"
53 def __init__(self, server_address, RequestHandlerC lass):
54 ctx = SSL.Context(SSL .SSLv23_METHOD)
55 ctx.use_private key_file(self.k eyFile)
56 ctx.use_certifi cate_file(self. certFile)
57 ctx.set_verify( SSL.VERIFY_PEER |
SSL.VERIFY_FAIL _IF_NO_PEER_CER T | SSL.VERIFY_CLIE NT_ONCE,
self._verify)
58 ctx.set_verify_ depth(10)
59 ctx.set_session _id('DFS')
60
61 self.server_add ress = server_address
62 self.RequestHan dlerClass = RequestHandlerC lass
63 self.socket = socket.socket(s elf.address_fam ily,
self.socket_typ e)
64 self.socket = SSL.Connection( ctx, self.socket)
65 self.socket.bin d(self.server_a ddress)
66 self.socket.lis ten(self.reques t_queue_size)
67
68 def _verify(self, conn, cert, errno, depth, retcode):
69 return not cert.has_expire d() and
cert.get_issuer ().organization Name == 'DFS'

If I were you, I would just just hide behind apache, nginx oder
another server that does ssl. just have that server proxy locally to
your python server over http, and firewall the python server port.

**Seb** · Sep 18 '08, 08:05 AM

Re: ssl server

On Sep 17, 10:53 pm, "Giampaolo Rodola'" <gne...@gmail.c omwrote:

On 17 Set, 19:33, Seb <sebastianthegr eat...@gmail.co mwrote:
>
>
>

I'm making a ssl server, but I'm not sure how I can verify the
clients. What do I actually need to place in _verify to actually
verify that the client cert is signed by me?

>

50 class SSLTCPServer(TC PServer):
51 keyFile = "sslcert/server.key"
52 certFile = "sslcert/server.crt"
53 def __init__(self, server_address, RequestHandlerC lass):
54 ctx = SSL.Context(SSL .SSLv23_METHOD)
55 ctx.use_private key_file(self.k eyFile)
56 ctx.use_certifi cate_file(self. certFile)
57 ctx.set_verify( SSL.VERIFY_PEER |
SSL.VERIFY_FAIL _IF_NO_PEER_CER T | SSL.VERIFY_CLIE NT_ONCE,
self._verify)
58 ctx.set_verify_ depth(10)
59 ctx.set_session _id('DFS')
60
61 self.server_add ress = server_address
62 self.RequestHan dlerClass = RequestHandlerC lass
63 self.socket = socket.socket(s elf.address_fam ily,
self.socket_typ e)
64 self.socket = SSL.Connection( ctx, self.socket)
65 self.socket.bin d(self.server_a ddress)
66 self.socket.lis ten(self.reques t_queue_size)
67
68 def _verify(self, conn, cert, errno, depth, retcode):
69 return not cert.has_expire d() and
cert.get_issuer ().organization Name == 'DFS'

>
What library are you using? PyOpenSSL?
In that case I think you'll have more luck by posting on their mailing
list.

Thanks, I did that and it worked.

**Seb** · Sep 18 '08, 08:05 AM

Re: ssl server

On Sep 17, 7:33 pm, Seb <sebastianthegr eat...@gmail.co mwrote:

I'm making a ssl server, but I'm not sure how I can verify the
clients. What do I actually need to place in _verify to actually
verify that the client cert is signed by me?
>
50 class SSLTCPServer(TC PServer):
51 keyFile = "sslcert/server.key"
52 certFile = "sslcert/server.crt"
53 def __init__(self, server_address, RequestHandlerC lass):
54 ctx = SSL.Context(SSL .SSLv23_METHOD)
55 ctx.use_private key_file(self.k eyFile)
56 ctx.use_certifi cate_file(self. certFile)
57 ctx.set_verify( SSL.VERIFY_PEER |
SSL.VERIFY_FAIL _IF_NO_PEER_CER T | SSL.VERIFY_CLIE NT_ONCE,
self._verify)
58 ctx.set_verify_ depth(10)
59 ctx.set_session _id('DFS')
60
61 self.server_add ress = server_address
62 self.RequestHan dlerClass = RequestHandlerC lass
63 self.socket = socket.socket(s elf.address_fam ily,
self.socket_typ e)
64 self.socket = SSL.Connection( ctx,self.socket )
65 self.socket.bin d(self.server_a ddress)
66 self.socket.lis ten(self.reques t_queue_size)
67
68 def _verify(self, conn, cert, errno, depth, retcode):
69 return not cert.has_expire d() and
cert.get_issuer ().organization Name == 'DFS'

Simply return retcode and it will work... assuming you have the certs
setup properly.

ssl server

ssl server

Comment

Comment

Comment

Comment