[issue11943] Add TLS-SRP (RFC 5054) support to ssl, _ssl, http, and urllib

2011-05-04 Thread Quinn Slack 

Quinn Slack  added the comment:

I have updated the patch in hg to address the sections marked "TODO" (after I 
submitted a patch to OpenSSL that they depended on). I'll resubmit a patch here 
in a ~week addressing that issue and those below, to continue pushing this 
issue along.

pitrou: Thanks for your feedback.

> - the OpenSSL functions you are using (SSL_get_srp_username etc.) don't seem 
> documented on openssl.org; this makes it harder to do a proper review

Yes...I'll submit some docs to OpenSSL on these functions.

> - what is an "SRP vbase"? is it something standardized, or OpenSSL-specific?
> - if server-side support needs a callback, I think it would be better to let 
> users write their callback in Python, rather than force a hardwired 
> implementation

An SRP "vbase" is OpenSSL's name for the SRP password (verifier) database. I 
will generalize this interface so that Python callbacks can be provided (in 
addition to using an OpenSSL verifier database).

> - no need to fill Misc/ACKS and Misc/NEWS by yourself, we can take care of 
> that
> - ssl.wrap_socket() is the legacy API, I would rather add new features only 
> to the SSLContext API

Got it.

--

___
Python tracker 
<http://bugs.python.org/issue11943>
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11943] Add TLS-SRP (RFC 5054) support to ssl, _ssl, http, and urllib

2011-04-28 Thread Quinn Slack 

Quinn Slack  added the comment:

Thanks for checking this out. Yes, this should wait for OpenSSL 1.0.1.

I will fix the TODO. It is there because the current TLS-SRP patch to OpenSSL 
uses old (pre-RFC 5054) TLS alert values for when the SRP username isn't in the 
Client Hello. I'm preparing another patch to OpenSSL to fix these, and then 
I'll update this patch.

I'll also include docs.

--

___
Python tracker 
<http://bugs.python.org/issue11943>
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11943] Add TLS-SRP (RFC 5054) support to ssl, _ssl, http, and urllib

2011-04-27 Thread Quinn Slack 

New submission from Quinn Slack :

This patch adds support for TLS-SRP (RFC 5054[1]) to Python ssl.SSLSocket, 
_ssl.c, http, and urllib. TLS-SRP lets a client and server establish a mutually 
authenticated SSL channel using only a username and password (a certificate may 
also be used to supplement authentication).

TLS-SRP is supported in GnuTLS, OpenSSL 1.0.1 (soon to be released), cURL, 
TLSLite (a Python module), and mod_gnutls. There are also patches for Chrome, 
NSS, mod_ssl, Django, Firefox, WordPress, and SJCL (see [2]). Much of the
growing interest in TLS-SRP is because a couple key PAKE patents expired 
recently. Also, CAs are perceived as more vulnerable now than a few years ago, 
and in certain cases TLS-SRP is a good substitute for or supplement to 
certificate auth. Two Python-specific use cases for TLS-SRP are calling HTTP 
APIs that require auth, and test suites written in Python for networked 
software (e.g., Chromium uses TLSLite for network testing).

I'm submitting this patch now to begin gathering feedback.

###
EXAMPLE USAGE
###

import urllib.request
res = urllib.request.urlopen("https://tls-srp.test.trustedhttp.org/";
 tls_username='jsmith', tls_password='abc')
print(res.read())
# => "user: jsmith"

###

import ssl, http
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
context.set_tls_username_password('jsmith', 'abc')
h = http.client.HTTPSConnection('tls-srp.test.trustedhttp.org', 443, 
context=context)
h.request('GET', '/')
resp = h.getresponse()
print(resp.status)
# => 200
print(resp.read())
# => "user: jsmith"

###

import socket, ssl
with socket.socket() as sock:
s = ssl.wrap_socket(sock,
ssl_version=ssl.PROTOCOL_TLSv1,
ciphers='SRP',
tls_username='jsmith',
tls_password='abc')
s.connect(('tls-srp.test.trustedhttp.org', 443))
s.write(b"GET / HTTP/1.0\n\n")
print(s.read())

###



[1] http://tools.ietf.org/html/rfc5054
[2] http://trustedhttp.org/
[3] http://trustedhttp.org/wiki/TLS-SRP_in_Python

--
components: Library (Lib)
files: python+tls-srp-20110427.patch
hgrepos: 23
keywords: patch
messages: 134627
nosy: sqs
priority: normal
severity: normal
status: open
title: Add TLS-SRP (RFC 5054) support to ssl, _ssl, http, and urllib
versions: Python 3.3
Added file: http://bugs.python.org/file21815/python+tls-srp-20110427.patch

___
Python tracker 
<http://bugs.python.org/issue11943>
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com