Re: Python and SSL

[[EMAIL PROTECTED]]

On Oct 5, 2:50 am, John Nagle <[EMAIL PROTECTED]> wrote:
> Johny wrote:
> > Martin and John,
> > Thank you both for your replies
> >  Must I  have OpenSSL imported in my Python program?
> > So far I have been using only SSL  support.
> > Built-in SSL support works OK if I connect from my Python program
> > directly to SSL server ( but not via proxy).
> > L.
>
>  SSL isn't SUPPOSED to work through proxies.  That's the whole point of
> SSL - to prevent somebody in the middle from tapping into the connection.
> Look up "man in the middle attack".

I'm afraid this is complete rubbish - using a proxy with SSL is fine.
The only
issue is that the built in python SSL support doesn't work with
proxies. There
are a number of ways of adding support though eg.
http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/456195
One thing to note is that python's built in SSL support does not
validate the
server certicate and is therefore vulnerable to MITM attacks
irrespective
of whether a proxy is in use or not. If you want real security then
you need
to use something like PyOpenSSL or M2Crypto and a certificate store
with your
root CAs.

Rich.

-- 
http://mail.python.org/mailman/listinfo/python-list

Re: Python and SSL

[Johny]

On Oct 5, 3:50 am, John Nagle <[EMAIL PROTECTED]> wrote:
> Johny wrote:
> > Martin and John,
> > Thank you both for your replies
> >  Must I  have OpenSSL imported in my Python program?
> > So far I have been using only SSL  support.
> > Built-in SSL support works OK if I connect from my Python program
> > directly to SSL server ( but not via proxy).
> > L.
>
>  SSL isn't SUPPOSED to work through proxies.  That's the whole point of
> SSL - to prevent somebody in the middle from tapping into the connection.
> Look up "man in the middle attack".
>
>  
John,
SSL may not be SUPPOSED to work through proxies but it CAN work.
JAVA is  an example. But I would like to use  Python instead of Java.
And because I have not been  able to make it  I asked here about
OpenSSL.
Regards,
L.

-- 
http://mail.python.org/mailman/listinfo/python-list

Re: Python and SSL

[John Nagle]

Johny wrote:
> Martin and John,
> Thank you both for your replies
>  Must I  have OpenSSL imported in my Python program?
> So far I have been using only SSL  support.
> Built-in SSL support works OK if I connect from my Python program
> directly to SSL server ( but not via proxy).
> L.

 SSL isn't SUPPOSED to work through proxies.  That's the whole point of
SSL - to prevent somebody in the middle from tapping into the connection.
Look up "man in the middle attack".

John Nagle
-- 
http://mail.python.org/mailman/listinfo/python-list

Re: Python and SSL

[Johny]

Martin and John,
Thank you both for your replies
 Must I  have OpenSSL imported in my Python program?
So far I have been using only SSL  support.
Built-in SSL support works OK if I connect from my Python program
directly to SSL server ( but not via proxy).
L.

-- 
http://mail.python.org/mailman/listinfo/python-list

Re: Python and SSL

[John J. Lee]

Johny <[EMAIL PROTECTED]> writes:

> On Oct 3, 2:17 pm, "Martin v. Löwis" <[EMAIL PROTECTED]> wrote:
>> > It looks like this
>>
>> > MyPythonProgram --->Proxy>Server

You want MyPythonProgram being to be proxied by Proxy, using the HTTP
CONNECT method? (CONNECT is a way of asking the proxy to just shovel
encrypted SSL traffic from client to server) Python's standard library
doesn't provide support for that.  While it's it's possible to do it,
httplib does not provide all the code to do it, and it's actually
quite awkward to do from e.g. urllib2.


>> > The  proxy is written in Java. I want to use that proxy to see what my
>> > Python program sends to server.

Does the proxy have support for behaving as a "man-in-the-middle",
then (by giving the proxy the private key)?  I think I've heard of
that being done for test purposes, but I don't know the details.
Seems rather odd.

An easier way is to print the traffic from your Python program.


[...]
> After I added certification, that the proxy uses, among those
> Trusted Root Certification Authorities list,as
> Gabriel described on Windows,
>
> I receive
> sslerror: (1, 'error:140770FC:SSL
> routines:SSL23_GET_SERVER_HELLO:unknown protocol')
>
>
> What does it mean?

It means that it's trying to interpret SSL traffic as if it were HTTP
traffic.  Look on ASPN Python Cookbook for a few recipes on HTTP
CONNECT (though ISTR I had to rework the one I looked at before it
worked for me).  Ask if you get stuck.


John
-- 
http://mail.python.org/mailman/listinfo/python-list

Re: Python and SSL

[Martin v. Löwis]

> After I added certification, that the proxy uses, among those
> Trusted Root Certification Authorities list,as
> Gabriel described on Windows,
> 
> I receive
> sslerror: (1, 'error:140770FC:SSL
> routines:SSL23_GET_SERVER_HELLO:unknown protocol')
> 
> 
> What does it mean?

Technically, it means that OpenSSL does not support the version of
the SSL protocol that the proxy uses.

Practically, it more likely means that the proxy does not use SSL
at all at the port you are connecting to.

What host/port are you connecting to?

Regards,
Martin
-- 
http://mail.python.org/mailman/listinfo/python-list

Re: Python and SSL

[Johny]

On Oct 3, 2:17 pm, "Martin v. Löwis" <[EMAIL PROTECTED]> wrote:
> > It looks like this
>
> > MyPythonProgram --->Proxy>Server
> > The  proxy is written in Java. I want to use that proxy to see what my
> > Python program sends to server.
> > The proxy uses its own certificate and this certificate must be
> > trusted, I think, otherwise I receive an error.
>
> What error do you receive precisely? Please copy it literally from
> the terminal, don't rephrase it.
>
After I added certification, that the proxy uses, among those
Trusted Root Certification Authorities list,as
Gabriel described on Windows,

I receive
sslerror: (1, 'error:140770FC:SSL
routines:SSL23_GET_SERVER_HELLO:unknown protocol')


What does it mean?
Thanks.
L

-- 
http://mail.python.org/mailman/listinfo/python-list

Re: Python and SSL

[Martin v. Löwis]

> It looks like this
> 
> MyPythonProgram --->Proxy>Server
> The  proxy is written in Java. I want to use that proxy to see what my
> Python program sends to server.
> The proxy uses its own certificate and this certificate must be
> trusted, I think, otherwise I receive an error.

What error do you receive precisely? Please copy it literally from
the terminal, don't rephrase it.

Regards,
Martin
-- 
http://mail.python.org/mailman/listinfo/python-list

Re: Python and SSL

[Gabriel Genellina]

En Wed, 03 Oct 2007 04:32:04 -0300, Johny <[EMAIL PROTECTED]> escribi�:

> MyPythonProgram --->Proxy>Server
> The  proxy is written in Java. I want to use that proxy to see what my
> Python program sends to server.
> The proxy uses its own certificate and this certificate must be
> trusted, I think, otherwise I receive an error.
>
> If I use
> InternetBrowser --->Proxy>Server
>
> browser asks me if the Proxy's certificate is trusted.If I reply  YES,
> than communication continues( I think browser adds this certificate
> among trusted ones)

Which OS?
Windows itself manages certificate storage. Control Panel, Internet  
Options, Contents, Certificates. You can import your certificate there.

-- 
Gabriel Genellina

-- 
http://mail.python.org/mailman/listinfo/python-list

Re: Python and SSL

[Johny]

On Oct 3, 7:51 am, "Martin v. Löwis" <[EMAIL PROTECTED]> wrote:
> > a  certificate that is signed by OpenSSL's own CA( certification
> > authority), that is not recognized in the program's list of root CAs,
> > causes an exception to be raised.
>
> What is "the program"? What programming language is it written in?
> What library does it use to maintain a list of root CAs, and what
> code does it execute to find out that a certificate is not in this
> list?
>
> Are you sure this is related to Python at all?
Martin,
Thank you for your reply.

It looks like this

MyPythonProgram --->Proxy>Server
The  proxy is written in Java. I want to use that proxy to see what my
Python program sends to server.
The proxy uses its own certificate and this certificate must be
trusted, I think, otherwise I receive an error.

If I use
InternetBrowser --->Proxy>Server

browser asks me if the Proxy's certificate is trusted.If I reply  YES,
than communication continues( I think browser adds this certificate
among trusted ones)

So, can you help, please?
Thanks.
L.

-- 
http://mail.python.org/mailman/listinfo/python-list

Re: Python and SSL

[Martin v. Löwis]

> a  certificate that is signed by OpenSSL's own CA( certification
> authority), that is not recognized in the program's list of root CAs,
> causes an exception to be raised.

What is "the program"? What programming language is it written in?
What library does it use to maintain a list of root CAs, and what
code does it execute to find out that a certificate is not in this
list?

Are you sure this is related to Python at all?

Regards,
Martin
-- 
http://mail.python.org/mailman/listinfo/python-list

Re: Python and SSL

[Johny]

Thank you all for your replies.
I am still a newbie with SSL issues but I found out that:
a  certificate that is signed by OpenSSL's own CA( certification
authority), that is not recognized in the program's list of root CAs,
causes an exception to be raised.
(That is a different behaviour from the built-in SSL.)
So, my question again,
how can I add a certification to the list of root CAs?
Thanks for help
L.



-- 
http://mail.python.org/mailman/listinfo/python-list

Re: Python and SSL

[Martin v. Löwis]

>  Actually, the SSL certificate has to be in valid format, because
> OpenSSL does require that.  

Sure. However, in the first message, the OP mentioned that he gets error
503. That tells me that the SSL connection had been established
successfully, and that he was actually seeing a HTTP error, not an SSL
one (unless he made up that error code, of course).

Regards,
Martin
-- 
http://mail.python.org/mailman/listinfo/python-list

Re: Python and SSL

[John Nagle]

Martin v. Löwis wrote:
>>> No, as Martin points out, Python trusts EVERY certificate, which of
>>> course misses the whole point of certificates.  Whatever is making
>>> your program fail is something different.
>> Paul, are you sure for 100%. It is hard to belive.
> 
> Not sure how many confirmations you want, but I can add another one.
> Paul is 100% correct. Python's SSL module, as shipped in Python 2.5.x
> and earlier, performs no verification of the server certificate
> whatsoever; it will silently accept any server certificate as correct.
> 
> Regards,
> Martin

  Actually, the SSL certificate has to be in valid format, because
OpenSSL does require that.  But there's no verification of the certificate
chain in Python's SSL module; it doesn't matter who signed it.  You can
create your own SSL certificates (there are tools for this) and Python's
SSL module will accept that.

  If you have a site that won't open with Python's stock SSL module,
try opening it with a browser.  If you get a warning message about the
certificate issuer not being validated, that's something Python will
ignore.  If you can't open the site with HTTPS at all, even after bypassing
warning messages, then the certificate at the other end may be nonexistent
or invalid.

John Nagle
-- 
http://mail.python.org/mailman/listinfo/python-list

Re: Python and SSL

[Martin v. Löwis]

>> No, as Martin points out, Python trusts EVERY certificate, which of
>> course misses the whole point of certificates.  Whatever is making
>> your program fail is something different.
> 
> Paul, are you sure for 100%. It is hard to belive.

Not sure how many confirmations you want, but I can add another one.
Paul is 100% correct. Python's SSL module, as shipped in Python 2.5.x
and earlier, performs no verification of the server certificate
whatsoever; it will silently accept any server certificate as correct.

Regards,
Martin
-- 
http://mail.python.org/mailman/listinfo/python-list

Re: Python and SSL

[Johny]

On Oct 1, 4:31 pm, Paul Rubin  wrote:
> Johny <[EMAIL PROTECTED]> writes:
> > By using my Python program I am  attempting to trust a certificate
> > signed by a certification authority that Python doesn't trust and that
> > causes the error.
>
> No, as Martin points out, Python trusts EVERY certificate, which of
> course misses the whole point of certificates.  Whatever is making
> your program fail is something different.

Paul, are you sure for 100%. It is hard to belive.
In Java it is possible so I would expect that to be possible in Python
too.
L.


-- 
http://mail.python.org/mailman/listinfo/python-list

Re: Python and SSL

[Paul Rubin]

Johny <[EMAIL PROTECTED]> writes:
> By using my Python program I am  attempting to trust a certificate
> signed by a certification authority that Python doesn't trust and that
> causes the error.

No, as Martin points out, Python trusts EVERY certificate, which of
course misses the whole point of certificates.  Whatever is making
your program fail is something different.
-- 
http://mail.python.org/mailman/listinfo/python-list

Re: Python and SSL

[Johny]

On Sep 28, 11:13 pm, Heikki Toivonen <[EMAIL PROTECTED]> wrote:
> Johny wrote:
> > I need to use Python with SSL comunication betweeen servers.
> > (I use hhtplib but I think urllib2 can also be used )
> >  I think I need to use SSL root certificate and tell  a program to
> > trust this certificate.
>
> You can't do secure SSL with the builtin SSL support, you need to use a
> third party module. There are a few available, including M2Crypto, TLS
> Lite, pyOpenSSL and pyOpenSSL-extended. Since I am the maintainer

Thank you all for help
I probably put my question in  a wrong way.
So again:
For the purpose of the  application debugging I would like to know
how  to add a new
certification authority to Python( so that  my Python program will
accept that certificate).
By using my Python program I am  attempting to trust a certificate
signed by a certification authority that Python doesn't trust and that
causes the error.
Thanks for help.
L.


-- 
http://mail.python.org/mailman/listinfo/python-list

Re: Python and SSL

[Heikki Toivonen]

John Nagle wrote:
> Any progress on getting M2Crypto 0.18 to build successfully
> on Fedora Core?

I have had no luck getting a Fedora Core environment running. Ubuntu is
my main OS, but I do have VMWare installed. I tried to install FC7 from
the live CD into VMWare, but the installer dies. I also tried to
download a ready-made FC8t1 VMWare appliance, but it fails to boot. So
currently I am dead in the water.

-- 
  Heikki Toivonen
-- 
http://mail.python.org/mailman/listinfo/python-list

Re: Python and SSL

[John Nagle]

Paul Rubin wrote:
> "Martin v. Löwis" <[EMAIL PROTECTED]> writes:
>>> But how can I tell my Python program to trust my SSL certificate?
>> Why do you want to tell it that? The SSL module will trust *any*
>> server certificate, no need to tell it explicitly which ones to
>> trust.
> 
> Er, the whole idea of SSL is that you don't trust the connection.  So
> failing to authenticate the other end is a security failure and SSL
> should not be used that way.  From RFC 4346:
> 
>Warning: Completely anonymous connections only provide protection
> against passive eavesdropping.  Unless an independent
> tamper-proof channel is used to verify that the finished
> messages were not replaced by an attacker, server
> authentication is required in environments where active
> man-in-the-middle attacks are a concern.

 Right.  The key point here is that Python's standard SSL module
doesn't actually check the validity of SSL certificates.  It just
makes client connections without checking.  It will happily connect
to sites offering totally bogus certificates, even ones with the wrong
domain name.

 M2Crypto actually checks.  M2Crypto has much better functionality,
but it's rather hard to build.

John Nagle
-- 
http://mail.python.org/mailman/listinfo/python-list

Re: Python and SSL

[Paul Rubin]

"Martin v. Löwis" <[EMAIL PROTECTED]> writes:
> Please try to understand that OP's question. He got some error,
> and for some reason, he concluded that he needs to tell Python
> to trust the server certificate (most likely to make the error
> go away). I told him that he is likely wrong, and that Python already
> trusts his server certificate. I was not proposing any judgment on
> whether that's a good thing or not. In fact, I have no idea whether
> security was of any concern to the OP.

Oh, I see, I didn't interpret the question that way but it does fit
and the answer is reasonable in that situation.  
-- 
http://mail.python.org/mailman/listinfo/python-list

Re: Python and SSL

[Martin v. Löwis]

>>> But how can I tell my Python program to trust my SSL certificate?
>> Why do you want to tell it that? The SSL module will trust *any*
>> server certificate, no need to tell it explicitly which ones to
>> trust.
> 
> Er, the whole idea of SSL is that you don't trust the connection.

Please try to understand that OP's question. He got some error,
and for some reason, he concluded that he needs to tell Python
to trust the server certificate (most likely to make the error
go away). I told him that he is likely wrong, and that Python already
trusts his server certificate. I was not proposing any judgment on
whether that's a good thing or not. In fact, I have no idea whether
security was of any concern to the OP.

Regards,
Martin
-- 
http://mail.python.org/mailman/listinfo/python-list

Re: Python and SSL

[Paul Rubin]

"Martin v. Löwis" <[EMAIL PROTECTED]> writes:
> > But how can I tell my Python program to trust my SSL certificate?
> 
> Why do you want to tell it that? The SSL module will trust *any*
> server certificate, no need to tell it explicitly which ones to
> trust.

Er, the whole idea of SSL is that you don't trust the connection.  So
failing to authenticate the other end is a security failure and SSL
should not be used that way.  From RFC 4346:

   Warning: Completely anonymous connections only provide protection
against passive eavesdropping.  Unless an independent
tamper-proof channel is used to verify that the finished
messages were not replaced by an attacker, server
authentication is required in environments where active
man-in-the-middle attacks are a concern.

It's silly to worry about an eavesdropper being nosy enough to
intercept your data passively, but somehow still expect them to be
considerate enough to not use an MITM attack.  Always use
authentication if it's worth bothering with cryptographic security at
all.  

Another plan for server to server communication might be to use a VPN
rather than connection level SSL.  That would simplify your
application programming if you can set up the encrypted network at
both ends.
-- 
http://mail.python.org/mailman/listinfo/python-list

Re: Python and SSL

[John Nagle]

Heikki Toivonen wrote:
> Johny wrote:
>> I need to use Python with SSL comunication betweeen servers.
>> (I use hhtplib but I think urllib2 can also be used )
>>  I think I need to use SSL root certificate and tell  a program to
>> trust this certificate.
> 
> You can't do secure SSL with the builtin SSL support, you need to use a
> third party module. There are a few available, including M2Crypto, TLS
> Lite, pyOpenSSL and pyOpenSSL-extended. Since I am the maintainer of
> M2Crypto I will naturally recommend that ;)
> 
> http://chandlerproject.org/Projects/MeTooCrypto

 Any progress on getting M2Crypto 0.18 to build successfully
on Fedora Core?

John Nagle

-- 
http://mail.python.org/mailman/listinfo/python-list

Re: Python and SSL

[Martin v. Löwis]

> I heard that python 2.6 will include full "server-side SSL
> support" (whatever this means).
> Is it true?

Yes, that's true.

Regards,
Martin
-- 
http://mail.python.org/mailman/listinfo/python-list

Re: Python and SSL

[Martin v. Löwis]

> I need to use Python with SSL comunication betweeen servers.
> (I use hhtplib but I think urllib2 can also be used )
>  I think I need to use SSL root certificate and tell  a program to
> trust this certificate.

I don't think so - what the SSL module does is already fine for you.

> But how can I tell my Python program to trust my SSL certificate?

Why do you want to tell it that? The SSL module will trust *any*
server certificate, no need to tell it explicitly which ones to
trust.

> When I tried  before I received the error 503

That must be an independent error.

Regards,
Martin
-- 
http://mail.python.org/mailman/listinfo/python-list

Re: Python and SSL

[Giampaolo Rodolà]

I heard that python 2.6 will include full "server-side SSL
support" (whatever this means).
Is it true?

-- 
http://mail.python.org/mailman/listinfo/python-list

Re: Python and SSL

[Heikki Toivonen]

Johny wrote:
> I need to use Python with SSL comunication betweeen servers.
> (I use hhtplib but I think urllib2 can also be used )
>  I think I need to use SSL root certificate and tell  a program to
> trust this certificate.

You can't do secure SSL with the builtin SSL support, you need to use a
third party module. There are a few available, including M2Crypto, TLS
Lite, pyOpenSSL and pyOpenSSL-extended. Since I am the maintainer of
M2Crypto I will naturally recommend that ;)

http://chandlerproject.org/Projects/MeTooCrypto

-- 
  Heikki Toivonen
-- 
http://mail.python.org/mailman/listinfo/python-list

Python and SSL

[Johny]

I need to use Python with SSL comunication betweeen servers.
(I use hhtplib but I think urllib2 can also be used )
 I think I need to use SSL root certificate and tell  a program to
trust this certificate.
But how can I tell my Python program to trust my SSL certificate?
When I tried  before I received the error 503
Thank you for help
L,

-- 
http://mail.python.org/mailman/listinfo/python-list

Re: Python and SSL

[Steve Holden]

Paul Rubin wrote:
> "Martin v. Löwis" <[EMAIL PROTECTED]> writes:
>> It means that these modules can do encrypted communication for their
>> respective protocol. They cannot validate that they are really talking
>> to the server they think they talk to (so they are prone to a
>> man-in-the-middle attack), however, as communication is encrypted, they
>> are protected against wire-tapping.
> 
> Unless the wiretapper is running a man-in-the-middle attack...
> 
That's pretty unreasonable: wiretapping is normally regarded as passive 
listening - when the FBI tap your wire do they try and impersonate the 
people you are calling? - and Martin already explained that 
man-in-the-middle was still a risk.

Why muddy the issue with this "point"?

regards
  Steve
-- 
Steve Holden   +44 150 684 7255  +1 800 494 3119
Holden Web LLC/Ltd  http://www.holdenweb.com
Skype: holdenweb http://del.icio.us/steve.holden
Recent Ramblings   http://holdenweb.blogspot.com

-- 
http://mail.python.org/mailman/listinfo/python-list

Re: Python and SSL

[Paul Rubin]

"Martin v. Löwis" <[EMAIL PROTECTED]> writes:
> It means that these modules can do encrypted communication for their
> respective protocol. They cannot validate that they are really talking
> to the server they think they talk to (so they are prone to a
> man-in-the-middle attack), however, as communication is encrypted, they
> are protected against wire-tapping.

Unless the wiretapper is running a man-in-the-middle attack...

-- 
http://mail.python.org/mailman/listinfo/python-list

Re: Python and SSL

[Martin v. Löwis]

> - I noticed that socket module provides an SSL class (socket.ssl) but
> even if documentation reports that it does not do any certificate
> verification a lot of stdlib modules (imaplib, poplib, smtplib,
> httplib and urllib2) provides SSL extension classes wherein socket.ssl
> is used. What does it mean?

It means that these modules can do encrypted communication for their
respective protocol. They cannot validate that they are really talking
to the server they think they talk to (so they are prone to a
man-in-the-middle attack), however, as communication is encrypted, they
are protected against wire-tapping. Also, some servers require
encrypted connections (e.g. when passwords are transmitted), so they
can use SSL for that.

> - On top of that why such extension classes [examples: 1, 2, 3]
> accepts key-files and cert-files as optional argouments if no
> certificate verification occurs?
> [1] poplib.POP3_SSL( host[, port[, keyfile[, certfile]]])
> [2] imaplib.IMAP4_SSL( [host[, port[, keyfile[, certfile)
> [3] smtplib.starttls( [keyfile[, certfile]])

These are client certificates. Some servers require that clients
authenticate through client certificates. This effectively avoids
man-in-the-middle attacks, as the server will validate the client's
certificate.

> - By searching through the web I found some daemons supporting SSL
> such as this one:
> http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/442473
> By looking at the code I notice that pyopenssl package is used and
> that a certificate file is required. Why do I need to use pyopenssl
> and how do I generate the cert file?

You can generate certificate files using the openssl command line
tool; see the openssl documentation for details.

Martin
-- 
http://mail.python.org/mailman/listinfo/python-list

Re: Python and SSL

[kyosohma]

On Apr 16, 10:24 am, "billiejoex" <[EMAIL PROTECTED]> wrote:
> Hi,
> I developed an ftp-server library and now I would like to add support
> for SSL/TLS as described in RFC 2228:http://tools.ietf.org/html/rfc2228
> Currenlty I'm searching for documentation about this subject and I
> would like to start to ask some questions:
>
> - I noticed that socket module provides an SSL class (socket.ssl) but
> even if documentation reports that it does not do any certificate
> verification a lot of stdlib modules (imaplib, poplib, smtplib,
> httplib and urllib2) provides SSL extension classes wherein socket.ssl
> is used. What does it mean?
>
> - On top of that why such extension classes [examples: 1, 2, 3]
> accepts key-files and cert-files as optional argouments if no
> certificate verification occurs?
> [1] poplib.POP3_SSL( host[, port[, keyfile[, certfile]]])
> [2] imaplib.IMAP4_SSL( [host[, port[, keyfile[, certfile)
> [3] smtplib.starttls( [keyfile[, certfile]])
>
> - By searching through the web I found some daemons supporting SSL
> such as this 
> one:http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/442473
> By looking at the code I notice that pyopenssl package is used and
> that a certificate file is required. Why do I need to use pyopenssl
> and how do I generate the cert file?
>
> Could someone point me in the right direction?
>
> Thanks in advance.

I don't know if this will help you or not, but we use the httplib
module's "HTTPSConnection" method to connect with SSL. We use
urlencode from the urllib module to encode the username and password
we send to a server. Since I didn't write this particular bit of code,
I don't completely understand it. But I hope it will give you some
ideas.

Mike

-- 
http://mail.python.org/mailman/listinfo/python-list

Python and SSL

[billiejoex]

Hi,
I developed an ftp-server library and now I would like to add support
for SSL/TLS as described in RFC 2228: http://tools.ietf.org/html/rfc2228
Currenlty I'm searching for documentation about this subject and I
would like to start to ask some questions:

- I noticed that socket module provides an SSL class (socket.ssl) but
even if documentation reports that it does not do any certificate
verification a lot of stdlib modules (imaplib, poplib, smtplib,
httplib and urllib2) provides SSL extension classes wherein socket.ssl
is used. What does it mean?

- On top of that why such extension classes [examples: 1, 2, 3]
accepts key-files and cert-files as optional argouments if no
certificate verification occurs?
[1] poplib.POP3_SSL( host[, port[, keyfile[, certfile]]])
[2] imaplib.IMAP4_SSL( [host[, port[, keyfile[, certfile)
[3] smtplib.starttls( [keyfile[, certfile]])

- By searching through the web I found some daemons supporting SSL
such as this one:
http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/442473
By looking at the code I notice that pyopenssl package is used and
that a certificate file is required. Why do I need to use pyopenssl
and how do I generate the cert file?

Could someone point me in the right direction?

Thanks in advance.

-- 
http://mail.python.org/mailman/listinfo/python-list

Re: Python and SSL enabled

[matey]

It appears my __m2crypto.so didn't get built correctly.

cengsu01:/home/mmedina/crypt/m2kcrypto/m2crypto-0.16 >python setup.py
build
/usr/local/lib/python2.3/distutils/extension.py:128: UserWarning:
Unknown Extension options: 'swig_opts'
  warnings.warn(msg)
running build
running build_py
running build_ext
building '__m2crypto' extension
swig -python -ISWIG -I/home/mmedina/crypt/openssl/openssl-0.9.8/include
-o SWIG/_m2crypto.c SWIG/_m2crypto.i
gcc -fno-strict-aliasing -DNDEBUG -g -O3 -Wall -Wstrict-prototypes
-fPIC -I/home/mmedina/crypt/m2kcrypto/m2crypto-0.16/SWIG
-I/home/mmedina/crypt/openssl/openssl-0.9.8/include
-I/usr/local/include/python2.3 -c SWIG/_m2crypto.c -o
build/temp.solaris-2.9-sun4u-2.3/SWIG/_m2crypto.o -DTHREADING
In file included from /usr/local/include/python2.3/stringobject.h:10,
 from /usr/local/include/python2.3/Python.h:83,
 from SWIG/_m2crypto.c:13:
/opt/sfw/lib/gcc-lib/sparc-sun-solaris2.9/2.95.3/include/stdarg.h:170:
warning: redefinition of `va_list'
/usr/include/stdio.h:120: warning: `va_list' previously declared here
SWIG/_m2crypto.c:3502: warning: function declaration isn't a prototype
SWIG/_m2crypto.c:3666: warning: function declaration isn't a prototype
SWIG/_m2crypto.c: In function `make_stack_from_der_sequence':
SWIG/_m2crypto.c:3763: warning: function declaration isn't a prototype
SWIG/_m2crypto.c: At top level:
SWIG/_m2crypto.c:4897: warning: function declaration isn't a prototype
SWIG/_m2crypto.c:5589: warning: function declaration isn't a prototype
SWIG/_m2crypto.c:6556: warning: function declaration isn't a prototype
SWIG/_m2crypto.c:7689: warning: function declaration isn't a prototype
SWIG/_m2crypto.c:8111: warning: function declaration isn't a prototype
SWIG/_m2crypto.c:8912: warning: function declaration isn't a prototype
SWIG/_m2crypto.c:10924: warning: function declaration isn't a prototype
SWIG/_m2crypto.c:13654: warning: function declaration isn't a prototype
SWIG/_m2crypto.c:15281: warning: function declaration isn't a prototype
SWIG/_m2crypto.c:13654: warning: function declaration isn't a prototype
SWIG/_m2crypto.c:15281: warning: function declaration isn't a prototype
SWIG/_m2crypto.c:15302: warning: function declaration isn't a prototype
SWIG/_m2crypto.c:15895: warning: function declaration isn't a prototype
SWIG/_m2crypto.c:16086: warning: function declaration isn't a prototype
SWIG/_m2crypto.c:559: warning: `SWIG_Python_ConvertPacked' defined but
not used
warning: no library file corresponding to '/home/mmedina/lib' found
(skipping)
gcc -shared build/temp.solaris-2.9-sun4u-2.3/SWIG/_m2crypto.o
-L/home/mmedina/crypt/openssl/openssl-0.9.8/lib -lssl -lcrypto -o
build/lib.solaris-2.9-sun4u-2.3/M2Crypto/__m2crypto.so
Text relocation remains referenced
against symbol  offset  in file
   0x5c0
/home/mmedina/lib/libssl.a(s3_lib.o)
   0x5c4
/home/mmedina/lib/libssl.a(s3_lib.o)
   0x5c8
/home/mmedina/lib/libssl.a(s3_lib.o)
   0x5cc   /home/mmedina/li


Not sure what is going on here.  Can it not find my libraries?

Heikki Toivonen wrote:
> matey wrote:
> > I tried to run the following simple program
> >
> > #!/usr/local/bin/python
> >
> > import M2Crypto
> >
> > u = M2Crypto.m2urllib.URLopener()
> > u.open('http://www.yahoo.com')
> >
> > However I got the following errror:
> >
> > Traceback (most recent call last):
> >   File "test.py", line 3, in ?
> > import M2Crypto
> >   File "/home/mmedina/python2.3/site-packages/M2Crypto/__init__.py",
> > line 14, in ?
> > import __m2crypto
> > ImportError: ld.so.1: python: fatal: relocation error: file
> > /home/mmedina/python2.3/site-packages/M2Crypto/__m2crypto.so: symbol
> > d2i_SSL_SESSION: referenced symbol not found
> > cengsu01:/home/mmedina/scripts/python >
>
> Sorry, no idea why you are getting this.
>
> Btw, I think even the M2Crypto m2urllib is unsafe, you'd be better of
> using some of the other convenience libs libs httpslib or something.
>
> > However, I went back to INSTALL instructions for m2crytpo.  I saw I
> > forgot to run alltests.py
> >
> > I ran the alltests.py and received the following:
> >
> > Traceback (most recent call last):
> > ImportError: No module named __m2crypto
>
> Currently you need to install M2Crypto before you can run the tests.
> Next version of M2Crypto will have an option to run tests without
> installing. I'd assume if copied the sources to your own site-packages
> dir and set the PYTHONPATH environment variable this would have worked.
> Notice that you'd need to copy the *built* M2Crypto dir, not the source
> M2Crypto dir which does not include the .so file.
> 
> -- 
>   Heikki Toivonen

-- 
http://mail.python.org/mailman/listinfo/python-list

Re: Python and SSL enabled

[Heikki Toivonen]

matey wrote:
> I tried to run the following simple program
> 
> #!/usr/local/bin/python
> 
> import M2Crypto
> 
> u = M2Crypto.m2urllib.URLopener()
> u.open('http://www.yahoo.com')
> 
> However I got the following errror:
> 
> Traceback (most recent call last):
>   File "test.py", line 3, in ?
> import M2Crypto
>   File "/home/mmedina/python2.3/site-packages/M2Crypto/__init__.py",
> line 14, in ?
> import __m2crypto
> ImportError: ld.so.1: python: fatal: relocation error: file
> /home/mmedina/python2.3/site-packages/M2Crypto/__m2crypto.so: symbol
> d2i_SSL_SESSION: referenced symbol not found
> cengsu01:/home/mmedina/scripts/python >

Sorry, no idea why you are getting this.

Btw, I think even the M2Crypto m2urllib is unsafe, you'd be better of
using some of the other convenience libs libs httpslib or something.

> However, I went back to INSTALL instructions for m2crytpo.  I saw I
> forgot to run alltests.py
> 
> I ran the alltests.py and received the following:
> 
> Traceback (most recent call last):
> ImportError: No module named __m2crypto

Currently you need to install M2Crypto before you can run the tests.
Next version of M2Crypto will have an option to run tests without
installing. I'd assume if copied the sources to your own site-packages
dir and set the PYTHONPATH environment variable this would have worked.
Notice that you'd need to copy the *built* M2Crypto dir, not the source
M2Crypto dir which does not include the .so file.

-- 
  Heikki Toivonen
-- 
http://mail.python.org/mailman/listinfo/python-list

Re: Python and SSL enabled

[matey]

Firstly, thank for answering.  Otherwise I wouldn't know where to turn
for help...


I tried to run the following simple program

#!/usr/local/bin/python

import M2Crypto

u = M2Crypto.m2urllib.URLopener()
u.open('http://www.yahoo.com')

However I got the following errror:

Traceback (most recent call last):
  File "test.py", line 3, in ?
import M2Crypto
  File "/home/mmedina/python2.3/site-packages/M2Crypto/__init__.py",
line 14, in ?
import __m2crypto
ImportError: ld.so.1: python: fatal: relocation error: file
/home/mmedina/python2.3/site-packages/M2Crypto/__m2crypto.so: symbol
d2i_SSL_SESSION: referenced symbol not found
cengsu01:/home/mmedina/scripts/python >

However, I went back to INSTALL instructions for m2crytpo.  I saw I
forgot to run alltests.py

I ran the alltests.py and received the following:

Traceback (most recent call last):
  File "alltests.py", line 61, in ?
from M2Crypto import Rand
  File
"/home/mmedina/crypt/m2kcrypto/m2crypto-0.16/M2Crypto/__init__.py",
line 14, in ?
import __m2crypto
ImportError: No module named __m2crypto
cengsu01:/home/mmedina/crypt/m2kcrypto/m2crypto-0.16/tests

Can you tell me what I did not do?

Thanks in advance.

Heikki Toivonen wrote:
> matey wrote:
> > However, when I use the following command: python setup.py install
> > I get the following error:
> >
> > creating /usr/local/lib/python2.3/site-packages/M2Crypto
> > error: could not create
> > '/usr/local/lib/python2.3/site-packages/M2Crypto': Permission denied
>
> Ok, it looks like you M2Crypto built ok, but now you face this
> permission problem which is not specific to M2Crypto. You'd run into
> this with any 3rd party python module.
>
> > Since I don't have root privleges can I install the M2Crypto somewhere
> > else?
>
> You could manually copy the built M2Crypto directory somewhere in your
> home directory, for example:
>
> /home/mmedina/python2.3/site-packages/M2Crypto
>
> Then, you'd edit (or create) PYTHONPATH environment variable so that it
> contained /home/mmedina/python2.3/site-packages. After that you should
> be able to import M2Crypto in your scripts. In the future if you needed
> more 3rd party libs you could just place them as siblings of M2Crypto in
> your personal site-packages dir we created above.
>
> An alternative is to copy M2Crypto and any other 3rd party libs into the
> same dir where your python script is so that when you do an import, the
> 3rd party libs are found in the same dir.
> 
> -- 
>   Heikki Toivonen

-- 
http://mail.python.org/mailman/listinfo/python-list

Re: Python and SSL enabled

[Heikki Toivonen]

matey wrote:
> However, when I use the following command: python setup.py install
> I get the following error:
> 
> creating /usr/local/lib/python2.3/site-packages/M2Crypto
> error: could not create
> '/usr/local/lib/python2.3/site-packages/M2Crypto': Permission denied

Ok, it looks like you M2Crypto built ok, but now you face this
permission problem which is not specific to M2Crypto. You'd run into
this with any 3rd party python module.

> Since I don't have root privleges can I install the M2Crypto somewhere
> else?

You could manually copy the built M2Crypto directory somewhere in your
home directory, for example:

/home/mmedina/python2.3/site-packages/M2Crypto

Then, you'd edit (or create) PYTHONPATH environment variable so that it
contained /home/mmedina/python2.3/site-packages. After that you should
be able to import M2Crypto in your scripts. In the future if you needed
more 3rd party libs you could just place them as siblings of M2Crypto in
your personal site-packages dir we created above.

An alternative is to copy M2Crypto and any other 3rd party libs into the
same dir where your python script is so that when you do an import, the
3rd party libs are found in the same dir.

-- 
  Heikki Toivonen
-- 
http://mail.python.org/mailman/listinfo/python-list

Re: Python and SSL enabled

[matey]

Problem:  I want to be able to access an HTTPS website read/write
commands
to this website.

>From reading this group it appears I need M2Crypto and OpenSSL

Current version of Python 2.3.4

I downloaded:
M2Crypto 0.16
OpenSSL 0.9.7k
SWIG 1.3.29

Compiled OpenSSL libraries are located in /home/mmedina/lib/libcrypto.a
and libssl.a
I compiled M2Crytpo

cengsu01:/home/mmedina/crypt/m2kcrypto/m2crypto-0.16/build/lib.solaris-2.9-sun4u-2.3/M2Crypto
>ls -alt
total 1624
drwxr-xr-x   4 mmedina  asip 512 Oct 31 09:45 ./
-rwxr-xr-x   1 mmedina  asip  690332 Oct 31 09:45 __m2crypto.so*
drwxr-xr-x   3 mmedina  asip 512 Oct 30 08:38 ../
drwxr-xr-x   2 mmedina  asip 512 Oct 30 08:38 PGP/
drwxr-xr-x   2 mmedina  asip 512 Oct 30 08:38 SSL/
-rw-r--r--   1 mmedina  asip8655 Jul  5 13:35 EC.py
-rw-r--r--   1 mmedina  asip 771 Jun 12 10:36 __init__.py
-rw-r--r--   1 mmedina  asip   14018 May 22 14:06 DSA.py
-rw-r--r--   1 mmedina  asip1588 May 10 14:31 util.py
-rw-r--r--   1 mmedina  asip7189 Apr 27  2006 SMIME.py
-rw-r--r--   1 mmedina  asip2118 Apr 27  2006 m2urllib.py
-rw-r--r--   1 mmedina  asip   10784 Apr 26  2006 EVP.py
-rw-r--r--   1 mmedina  asip   11238 Apr 26  2006 RSA.py
-rw-r--r--   1 mmedina  asip   25817 Apr 11  2006 X509.py
-rw-r--r--   1 mmedina  asip 207 Mar 31  2006 callback.py
-rw-r--r--   1 mmedina  asip 379 Mar 29  2006 Rand.py
-rw-r--r--   1 mmedina  asip7302 Mar 25  2006 BIO.py
-rw-r--r--   1 mmedina  asip3306 Mar 20  2006 ASN1.py
-rw-r--r--   1 mmedina  asip3085 Mar 20  2006 AuthCookie.py
-rw-r--r--   1 mmedina  asip1330 Mar 20  2006 BN.py
-rw-r--r--   1 mmedina  asip2374 Mar 20  2006 DH.py
-rw-r--r--   1 mmedina  asip 936 Mar 20  2006 Err.py
-rw-r--r--   1 mmedina  asip 692 Mar 20  2006 RC4.py
-rw-r--r--   1 mmedina  asip2896 Mar 20  2006 ftpslib.py
-rw-r--r--   1 mmedina  asip2210 Mar 20  2006 httpslib.py
-rw-r--r--   1 mmedina  asip 785 Mar 20  2006 m2.py
-rw-r--r--   1 mmedina  asip1804 Mar 20  2006 m2xmlrpclib.py
-rw-r--r--   1 mmedina  asip 347 Mar 20  2006 threading.py
cengsu01:/home/mmedina/crypt/m2kcrypto/m2crypto-0.16/build/lib.solaris-2.9-sun4u-2.3/M2Crypto
>

However, when I use the following command: python setup.py install
I get the following error:

creating /usr/local/lib/python2.3/site-packages/M2Crypto
error: could not create
'/usr/local/lib/python2.3/site-packages/M2Crypto': Permission denied

Since I don't have root privleges can I install the M2Crypto somewhere
else?

Also, am I on the right track if I want to be able to access an Https
page?

thanks in advance,

Monica


Heikki Toivonen wrote:
> matey wrote:
> > I am have version 2.3.4.  I want to write a python script to access a
> > secure HTTPS.
> >
> > I tried the following:
> >
> > import urllib
> > urllib.urlopen("https://somesecuresite.com";)
> > s = f.read()
> > f.close()
>
> I hope you know the Python stdlib SSL does not provide certificate
> checking etc. security features you almost certainly want in a
> production application. There are several 3rd party Python crypto
> libraries that provide more secure SSL out of the box, for example M2Crypto.
> 
> -- 
>   Heikki Toivonen

-- 
http://mail.python.org/mailman/listinfo/python-list

Re: Python and SSL enabled

[Heikki Toivonen]

matey wrote:
> I am have version 2.3.4.  I want to write a python script to access a
> secure HTTPS.
> 
> I tried the following:
> 
> import urllib
> urllib.urlopen("https://somesecuresite.com";)
> s = f.read()
> f.close()

I hope you know the Python stdlib SSL does not provide certificate
checking etc. security features you almost certainly want in a
production application. There are several 3rd party Python crypto
libraries that provide more secure SSL out of the box, for example M2Crypto.

-- 
  Heikki Toivonen
-- 
http://mail.python.org/mailman/listinfo/python-list

Python and SSL enabled

[matey]

I am have version 2.3.4.  I want to write a python script to access a
secure HTTPS.

I tried the following:

import urllib
urllib.urlopen("https://somesecuresite.com";)
s = f.read()
f.close()

I get the following:

IOError [Errno url error] unknown url type: 'https'

1. How do I know if SSL is enabled?
2. What can I do to get this to work?

Thanks,

Matey

-- 
http://mail.python.org/mailman/listinfo/python-list