On Sep 18, 1:05 am, Michael Palmer <[EMAIL PROTECTED]> wrote: > On Sep 17, 1:33 pm, Seb <[EMAIL PROTECTED]> wrote: > > > > > I'm making a ssl server, but I'm not sure how I can verify the > > clients. What do I actually need to place in _verify to actually > > verify that the client cert is signed by me? > > > 50 class SSLTCPServer(TCPServer): > > 51 keyFile = "sslcert/server.key" > > 52 certFile = "sslcert/server.crt" > > 53 def __init__(self, server_address, RequestHandlerClass): > > 54 ctx = SSL.Context(SSL.SSLv23_METHOD) > > 55 ctx.use_privatekey_file(self.keyFile) > > 56 ctx.use_certificate_file(self.certFile) > > 57 ctx.set_verify(SSL.VERIFY_PEER | > > SSL.VERIFY_FAIL_IF_NO_PEER_CERT | SSL.VERIFY_CLIENT_ONCE, > > self._verify) > > 58 ctx.set_verify_depth(10) > > 59 ctx.set_session_id('DFS') > > 60 > > 61 self.server_address = server_address > > 62 self.RequestHandlerClass = RequestHandlerClass > > 63 self.socket = socket.socket(self.address_family, > > self.socket_type) > > 64 self.socket = SSL.Connection(ctx, self.socket) > > 65 self.socket.bind(self.server_address) > > 66 self.socket.listen(self.request_queue_size) > > 67 > > 68 def _verify(self, conn, cert, errno, depth, retcode): > > 69 return not cert.has_expired() and > > cert.get_issuer().organizationName == 'DFS' > > If I were you, I would just just hide behind apache, nginx oder > another server that does ssl. just have that server proxy locally to > your python server over http, and firewall the python server port.
Good idea, however atm this is a school project so thats not really an option right now. However I might take this a bit furtherer and use that solution. -- http://mail.python.org/mailman/listinfo/python-list