[issue11943] Add TLS-SRP (RFC 5054) support to ssl, _ssl, http, and urllib

[Christian Heimes]

Christian Heimes added the comment:

This feature request has been idle for five years. Although TLS-SRP is nice to 
have, it is not a priority for protocols such as HTTPS. I neither have time nor 
motivation to create a patch myself. Therefore I'm closing this issue of lack 
of activity. Please feel free to re-open it with a patch against 3.7.

--
resolution:  -> out of date
stage: patch review -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11943] Add TLS-SRP (RFC 5054) support to ssl, _ssl, http, and urllib

[Christian Heimes]

Changes by Christian Heimes :


--
assignee:  -> christian.heimes
components: +SSL

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11943] Add TLS-SRP (RFC 5054) support to ssl, _ssl, http, and urllib

[Christian Heimes]

Changes by Christian Heimes :


--
components: +Extension Modules
versions: +Python 3.7 -Python 3.4

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11943] Add TLS-SRP (RFC 5054) support to ssl, _ssl, http, and urllib

[Nicolas Jouanin]

Changes by Nicolas Jouanin n...@beerfactory.org:


--
nosy: +njouanin

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11943
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11943] Add TLS-SRP (RFC 5054) support to ssl, _ssl, http, and urllib

[Christian Heimes]

Changes by Christian Heimes li...@cheimes.de:


--
nosy: +christian.heimes

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11943
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11943] Add TLS-SRP (RFC 5054) support to ssl, _ssl, http, and urllib

[Senthil Kumaran]

Senthil Kumaran added the comment:

2012/9/10 Jesús Cea Avión rep...@bugs.python.org:

 Ping!.

Guess, it is still for 3.4.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11943
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11943] Add TLS-SRP (RFC 5054) support to ssl, _ssl, http, and urllib

[Jesús Cea Avión]

Jesús Cea Avión added the comment:

Yes, 3.4.

I would hate to rush, in two years, because this issue was neglected during 18 
months :)

No reason for not starting now.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11943
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11943] Add TLS-SRP (RFC 5054) support to ssl, _ssl, http, and urllib

[Antoine Pitrou]

Antoine Pitrou added the comment:

Le mardi 11 septembre 2012 à 13:52 +, Jesús Cea Avión a écrit :
 No reason for not starting now.

There's no point in being pushy, though. If you want to start, the
best thing is to work on the patch and update it.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11943
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11943] Add TLS-SRP (RFC 5054) support to ssl, _ssl, http, and urllib

[Jesús Cea Avión]

Jesús Cea Avión added the comment:

Ping!.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11943
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11943] Add TLS-SRP (RFC 5054) support to ssl, _ssl, http, and urllib

[Antoine Pitrou]

Changes by Antoine Pitrou pit...@free.fr:


--
versions: +Python 3.4 -Python 3.3

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11943
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11943] Add TLS-SRP (RFC 5054) support to ssl, _ssl, http, and urllib

[Antoine Pitrou]

Antoine Pitrou pit...@free.fr added the comment:

Quinn, are you planning to work on an updated patch?

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11943
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11943] Add TLS-SRP (RFC 5054) support to ssl, _ssl, http, and urllib

[Quinn Slack]

Quinn Slack s...@cs.stanford.edu added the comment:

I have updated the patch in hg to address the sections marked TODO (after I 
submitted a patch to OpenSSL that they depended on). I'll resubmit a patch here 
in a ~week addressing that issue and those below, to continue pushing this 
issue along.

pitrou: Thanks for your feedback.

 - the OpenSSL functions you are using (SSL_get_srp_username etc.) don't seem 
 documented on openssl.org; this makes it harder to do a proper review

Yes...I'll submit some docs to OpenSSL on these functions.

 - what is an SRP vbase? is it something standardized, or OpenSSL-specific?
 - if server-side support needs a callback, I think it would be better to let 
 users write their callback in Python, rather than force a hardwired 
 implementation

An SRP vbase is OpenSSL's name for the SRP password (verifier) database. I 
will generalize this interface so that Python callbacks can be provided (in 
addition to using an OpenSSL verifier database).

 - no need to fill Misc/ACKS and Misc/NEWS by yourself, we can take care of 
 that
 - ssl.wrap_socket() is the legacy API, I would rather add new features only 
 to the SSLContext API

Got it.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11943
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11943] Add TLS-SRP (RFC 5054) support to ssl, _ssl, http, and urllib

[Antoine Pitrou]

Antoine Pitrou pit...@free.fr added the comment:

Thanks for the patch. Some preliminary comments:

- the OpenSSL functions you are using (SSL_get_srp_username etc.) don't seem 
documented on openssl.org; this makes it harder to do a proper review
- no need to fill Misc/ACKS and Misc/NEWS by yourself, we can take care of that
- what is an SRP vbase? is it something standardized, or OpenSSL-specific?
- if server-side support needs a callback, I think it would be better to let 
users write their callback in Python, rather than force a hardwired 
implementation
- ssl.wrap_socket() is the legacy API, I would rather add new features only to 
the SSLContext API

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11943
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11943] Add TLS-SRP (RFC 5054) support to ssl, _ssl, http, and urllib

[Jesús Cea Avión]

Changes by Jesús Cea Avión j...@jcea.es:


--
nosy: +jcea

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11943
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11943] Add TLS-SRP (RFC 5054) support to ssl, _ssl, http, and urllib

[Senthil Kumaran]

Changes by Senthil Kumaran sent...@uthcode.com:


--
nosy: +orsenthil

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11943
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11943] Add TLS-SRP (RFC 5054) support to ssl, _ssl, http, and urllib

[Jesús Cea Avión]

Jesús Cea Avión j...@jcea.es added the comment:

The idea seems interesting. I will check the RFC ASAP. The patch should include 
documentation updates, though. You can update the issue number in the NEWS 
file, also.

Do you plan to complete the sections marked as TODO? 

PS: The mercurial repository URL you are linking has an unnedeed username, and 
firefox complains about it.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11943
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11943] Add TLS-SRP (RFC 5054) support to ssl, _ssl, http, and urllib

[Jesús Cea Avión]

Jesús Cea Avión j...@jcea.es added the comment:

Also, I will not invest too much time on this until OpenSSL 1.0.1 is released, 
with support for this.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11943
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11943] Add TLS-SRP (RFC 5054) support to ssl, _ssl, http, and urllib

[Quinn Slack]

Quinn Slack s...@cs.stanford.edu added the comment:

Thanks for checking this out. Yes, this should wait for OpenSSL 1.0.1.

I will fix the TODO. It is there because the current TLS-SRP patch to OpenSSL 
uses old (pre-RFC 5054) TLS alert values for when the SRP username isn't in the 
Client Hello. I'm preparing another patch to OpenSSL to fix these, and then 
I'll update this patch.

I'll also include docs.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11943
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11943] Add TLS-SRP (RFC 5054) support to ssl, _ssl, http, and urllib

[Quinn Slack]

New submission from Quinn Slack s...@cs.stanford.edu:

This patch adds support for TLS-SRP (RFC 5054[1]) to Python ssl.SSLSocket, 
_ssl.c, http, and urllib. TLS-SRP lets a client and server establish a mutually 
authenticated SSL channel using only a username and password (a certificate may 
also be used to supplement authentication).

TLS-SRP is supported in GnuTLS, OpenSSL 1.0.1 (soon to be released), cURL, 
TLSLite (a Python module), and mod_gnutls. There are also patches for Chrome, 
NSS, mod_ssl, Django, Firefox, WordPress, and SJCL (see [2]). Much of the
growing interest in TLS-SRP is because a couple key PAKE patents expired 
recently. Also, CAs are perceived as more vulnerable now than a few years ago, 
and in certain cases TLS-SRP is a good substitute for or supplement to 
certificate auth. Two Python-specific use cases for TLS-SRP are calling HTTP 
APIs that require auth, and test suites written in Python for networked 
software (e.g., Chromium uses TLSLite for network testing).

I'm submitting this patch now to begin gathering feedback.

###
EXAMPLE USAGE
###

import urllib.request
res = urllib.request.urlopen(https://tls-srp.test.trustedhttp.org/;
 tls_username='jsmith', tls_password='abc')
print(res.read())
# = user: jsmith

###

import ssl, http
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
context.set_tls_username_password('jsmith', 'abc')
h = http.client.HTTPSConnection('tls-srp.test.trustedhttp.org', 443, 
context=context)
h.request('GET', '/')
resp = h.getresponse()
print(resp.status)
# = 200
print(resp.read())
# = user: jsmith

###

import socket, ssl
with socket.socket() as sock:
s = ssl.wrap_socket(sock,
ssl_version=ssl.PROTOCOL_TLSv1,
ciphers='SRP',
tls_username='jsmith',
tls_password='abc')
s.connect(('tls-srp.test.trustedhttp.org', 443))
s.write(bGET / HTTP/1.0\n\n)
print(s.read())

###



[1] http://tools.ietf.org/html/rfc5054
[2] http://trustedhttp.org/
[3] http://trustedhttp.org/wiki/TLS-SRP_in_Python

--
components: Library (Lib)
files: python+tls-srp-20110427.patch
hgrepos: 23
keywords: patch
messages: 134627
nosy: sqs
priority: normal
severity: normal
status: open
title: Add TLS-SRP (RFC 5054) support to ssl, _ssl, http, and urllib
versions: Python 3.3
Added file: http://bugs.python.org/file21815/python+tls-srp-20110427.patch

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11943
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11943] Add TLS-SRP (RFC 5054) support to ssl, _ssl, http, and urllib

[Antoine Pitrou]

Changes by Antoine Pitrou pit...@free.fr:


--
nosy: +debatem1, pitrou
stage:  - patch review
type:  - feature request

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11943
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com