I think as a practical solution you should remove the password from the
server private key as Niphlod pointed out in this same thread.
BTW I suggest to use any of apache, nginx, cherokee, uwsgi and probably
other webservers instead of rocket and have them do the SSL/TLS part.
web2py auth code will work the same, but the server will ask you the
password only at startup and it will usually be faster than rocket.
mic
2012/11/8 Amit <amit.khaw...@gmail.com>
> Thanks Michele, I resolved the issue by overriding class X509Auth :), one
> more clarification:
> using openssl, i created CA certificates, private key then client and
> server certificates with their private key signed by CA certificate,
> everything is working fine except:
> when I access My application I always need to provide the server
> certificate password on the command prompt (where server has started) to
> access the page, is there any way to disable this? Means, user only needs
> to import the client certificate to their browser and when they access the
> application it will allow to access the pages of the application without
> asking the password. Anyways user doesn't have access to the server so they
> can't be able to provide the password so in this case, even though they
> will be able to import the client certificate, automatically downloaded
> server certificate to the browser when they make request for application
> but can't be able to access the application pages because on server command
> prompt it will ask for password, so how to make it password free?
>
>
> On Wed, Nov 7, 2012 at 6:52 PM, Michele Comitini <
> michele.comit...@gmail.com> wrote:
>
>> Amit,
>>
>> A "self" was missing this should work:
>>
>> class MyX509Auth(X509Auth):
>> def get_user(self):
>> self.subject.surname = <put something here >
>> X509Auth.get_user(self)
>> auth.settings.login_form = MyX509Auth()
>>
>>
>> 2012/11/7 Michele Comitini <michele.comit...@gmail.com>
>>
>>> Amit,
>>>
>>> in your model call the derived class
>>>
>>> auth.settings.login_form = MyX509Auth()
>>>
>>>
>>>
>>> 2012/11/7 Michele Comitini <michele.comit...@gmail.com>
>>>
>>>> simpatiCA makes the client certificates already with needed fields.
>>>> Since you use openssl directly you can set all the fields you need in
>>>> the certificates by changing openssl.cnf in your openssl installation.
>>>> There is plenty of documentation on that.
>>>>
>>>> OR you can extend the class X509Auth to fit your needs by overriding
>>>> get_user()
>>>>
>>>>
>>>> class MyX509Auth(X509Auth):
>>>> def get_user():
>>>> self.subject.surname = <put something here >
>>>> X509Auth.get_user(self)
>>>>
>>>>
>>>> mic
>>>>
>>>>
>>>>
>>>> 2012/11/7 Amit <amit.khaw...@gmail.com>
>>>>
>>>>> Hi,
>>>>> I filled the email address in the certificate but what I think is
>>>>> problem with surname , please check below the log:
>>>>>
>>>>>
>>>>> *File D:\web2py2.1.1\web2py\gluon\contrib\login_methods\x509_auth.py
>>>>> in get_user at line 91* code arguments variables
>>>>> Function argument list
>>>>>
>>>>> (self=<gluon.contrib.login_methods.x509_auth.X509Auth object>)
>>>>> Code listing
>>>>>
>>>>> 86.
>>>>> 87.
>>>>> 88.
>>>>> 89.
>>>>> 90.
>>>>> 91.
>>>>>
>>>>> 92.
>>>>> 93.
>>>>> 94.
>>>>> 95.
>>>>>
>>>>>
>>>>> p = profile = dict()
>>>>>
>>>>> username = p['username'] = reduce(lambda a,b: '%s | %s' % (a,b),
>>>>> self.subject.CN or self.subject.commonName)
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> p['first_name'] = reduce(lambda a,b: '%s | %s' %
>>>>> (a,b),self.subject.givenName or username)
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> p['last_name'] = reduce(lambda a,b: '%s | %s' %
>>>>> (a,b),self.subject.surname)
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> p['email'] = reduce(lambda a,b: '%s | %s' %
>>>>> (a,b),self.subject.Email or self.subject.emailAddress)
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> # IMPORTANT WE USE THE CERT SERIAL AS UNIQUE KEY FOR THE USER
>>>>> p['registration_id'] = self.serial
>>>>>
>>>>> Variables
>>>>> a undefined b undefined builtinreduce <built-in function reduce>
>>>>> self.subject.surname [] self
>>>>> <gluon.contrib.login_methods.x509_auth.X509Auth
>>>>> object> self.subject <Storage {'Email': ['amit1.khaw...@gmail.com'],
>>>>> ...SG'], 'organizationUnitName': ['HSG'], 'SN': []}> p {'first_name':
>>>>> 'A | m | i | t | 1 | | K | h | a | w | a | r | e', 'username': 'Amit1
>>>>> Khaware'}
>>>>>
>>>>> And while generating the certificates it is not asking about surname,
>>>>> it's asking below information:
>>>>>
>>>>> Country Name (2 letter code) [US]:
>>>>> State or Province Name (full name) [CA]:
>>>>> Locality Name (eg, city) [San Diego]:
>>>>> Organization Name (eg, company) [Cafesoft LLC]:
>>>>> Organizational Unit Name (eg, section) []:
>>>>> Common Name (eg, YOUR name) []:*Cafesoft CA*
>>>>> Email Address [c...@cafenet.com]:
>>>>>
>>>>> Please enter the following 'extra' attributes
>>>>> to be sent with your certificate request
>>>>> A challenge password []:*password*
>>>>> An optional company name []:
>>>>>
>>>>>
>>>>> please check the link :
>>>>>
>>>>>
>>>>> http://www.cafesoft.com/products/cams/ps/docs30/admin/ConfiguringApache2ForSSLTLSMutualAuthentication.html
>>>>>
>>>>> So x509_auth.py expects surname but above link doesn't provide option
>>>>> to fill surname :(
>>>>>
>>>>>
>>>>> Regards,
>>>>>
>>>>> Amit
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Nov 6, 2012 at 8:34 PM, Michele Comitini <
>>>>> michele.comit...@gmail.com> wrote:
>>>>>
>>>>>> self.subject.Email is [] i.e. an empty list. Check if that is the
>>>>>> problem.
>>>>>>
>>>>>> mic
>>>>>> Il giorno 06/nov/2012 14:32, "Amit" <amit.khaw...@gmail.com> ha
>>>>>> scritto:
>>>>>>
>>>>>>> I have used below link to generate server certificates, client
>>>>>>> certificates and CA certificates, imported client and CA certificates
>>>>>>> to
>>>>>>> Mozilla Firefox browser and then deploy server certificates and CA
>>>>>>> certificate to the Rocket server :
>>>>>>>
>>>>>>> D:\web2py2.1.1\web2py>web2py.py -a password -i 127.0.0.1 -p 8000 -c
>>>>>>> C:\OpenSSL-Win32\bin\cirrusAwareCA\server\certificates\server.test.com.crt
>>>>>>> -k C:\OpenSSL-Win32\bin\cirrusAwareCA\server\keys\server.test.com.key
>>>>>>> --ca-cert=C:\OpenSSL-Win32\bin\cirrusAwareCA\CA\cirrusAwareCA.crt
>>>>>>>
>>>>>>> Then Open browser type https://127.0.0.1:8000/MyApp/default/index
>>>>>>>
>>>>>>> Now its giving error:
>>>>>>> <type 'exceptions.TypeError'> reduce() of empty sequence with no
>>>>>>> initial value Error snapshot [image: help]
>>>>>>>
>>>>>>> <type 'exceptions.TypeError'>(reduce() of empty sequence with no
>>>>>>> initial value)
>>>>>>>
>>>>>>> inspect attributes
>>>>>>> Frames
>>>>>>>
>>>>>>> -
>>>>>>>
>>>>>>> *File D:\web2py2.1.1\web2py\gluon\restricted.py in restricted at
>>>>>>> line 209* code arguments variables
>>>>>>> -
>>>>>>>
>>>>>>> *File
>>>>>>>
>>>>>>> D:\web2py2.1.1\web2py\applications\AuthenticationApp\controllers\default.py
>>>>>>> in <module> at line 76* code arguments variables
>>>>>>> -
>>>>>>>
>>>>>>> *File D:\web2py2.1.1\web2py\gluon\globals.py in <lambda> at line
>>>>>>> 187* code arguments variables
>>>>>>> -
>>>>>>>
>>>>>>> *File
>>>>>>>
>>>>>>> D:\web2py2.1.1\web2py\applications\AuthenticationApp\controllers\default.py
>>>>>>> in user at line 38* code arguments variables
>>>>>>> Code listing
>>>>>>>
>>>>>>> 33.
>>>>>>> 34.
>>>>>>> 35.
>>>>>>> 36.
>>>>>>> 37.
>>>>>>> 38.
>>>>>>>
>>>>>>> 39.
>>>>>>> 40.
>>>>>>> 41.
>>>>>>> 42.
>>>>>>>
>>>>>>> use @auth.requires_login()
>>>>>>> @auth.requires_membership('group name')
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> @auth.requires_permission('read','table name',record_id)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> to decorate functions that need access control
>>>>>>> """
>>>>>>> return dict(form=auth())
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> def download():
>>>>>>> """
>>>>>>>
>>>>>>> -
>>>>>>>
>>>>>>> *File D:\web2py2.1.1\web2py\gluon\tools.py in __call__ at line
>>>>>>> 1205* code arguments variables
>>>>>>> -
>>>>>>>
>>>>>>> *File D:\web2py2.1.1\web2py\gluon\tools.py in login at line 2016*
>>>>>>> code arguments variables
>>>>>>> -
>>>>>>>
>>>>>>> *File
>>>>>>> D:\web2py2.1.1\web2py\gluon\contrib\login_methods\x509_auth.py in
>>>>>>> get_user
>>>>>>> at line 91* code arguments variables
>>>>>>> Function argument list
>>>>>>>
>>>>>>> (self=<gluon.contrib.login_methods.x509_auth.X509Auth object>)
>>>>>>> Code listing
>>>>>>>
>>>>>>> 86.
>>>>>>> 87.
>>>>>>> 88.
>>>>>>> 89.
>>>>>>> 90.
>>>>>>> 91.
>>>>>>>
>>>>>>> 92.
>>>>>>> 93.
>>>>>>> 94.
>>>>>>> 95.
>>>>>>>
>>>>>>>
>>>>>>> p = profile = dict()
>>>>>>>
>>>>>>> username = p['username'] = reduce(lambda a,b: '%s | %s' %
>>>>>>> (a,b), self.subject.CN or self.subject.commonName)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> p['first_name'] = reduce(lambda a,b: '%s | %s' %
>>>>>>> (a,b),self.subject.givenName or username)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> p['last_name'] = reduce(lambda a,b: '%s | %s' %
>>>>>>> (a,b),self.subject.surname)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> p['email'] = reduce(lambda a,b: '%s | %s' %
>>>>>>> (a,b),self.subject.Email or self.subject.emailAddress)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> # IMPORTANT WE USE THE CERT SERIAL AS UNIQUE KEY FOR THE USER
>>>>>>> p['registration_id'] = self.serial
>>>>>>>
>>>>>>> Variables a undefined b undefined builtinreduce <built-in
>>>>>>> function reduce> self.subject.surname [] self
>>>>>>> <gluon.contrib.login_methods.x509_auth.X509Auth
>>>>>>> object> self.subject <Storage {'Email': [], 'C': ['IN'],
>>>>>>> 'serialNumbe...SG'], 'organizationUnitName': ['HSG'], 'SN': []}>
>>>>>>> p {'first_name': 'A | m | i | t', 'username': 'Amit'}
>>>>>>>
>>>>>>>
>>>>>>> Regards,
>>>>>>> Amit
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Tue, Nov 6, 2012 at 6:42 PM, Michele Comitini <
>>>>>>> michele.comit...@gmail.com> wrote:
>>>>>>>
>>>>>>>> https://github.com/web2py/web2py/blob/master/gluon/main.py#L824
>>>>>>>>
>>>>>>>> The log seems to say that your certificate file is not there, or
>>>>>>>> not accessible
>>>>>>>>
>>>>>>>> mic
>>>>>>>>
>>>>>>>>
>>>>>>>> 2012/11/6 Amit <amit.khaw...@gmail.com>
>>>>>>>>
>>>>>>>>> I am using Python 2.7.2.
>>>>>>>>>
>>>>>>>>> On Tue, Nov 6, 2012 at 6:33 PM, Michele Comitini <
>>>>>>>>> michele.comit...@gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> What is your python version?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> 2012/11/6 Amit <amit.khaw...@gmail.com>
>>>>>>>>>>
>>>>>>>>>>> Hi Michele,
>>>>>>>>>>> I used Simpatica to generates the certificates but failed to
>>>>>>>>>>> deploy to the web2py server, please check once the first mail in
>>>>>>>>>>> this mail
>>>>>>>>>>> chain where I explained the problem in details.
>>>>>>>>>>>
>>>>>>>>>>> Regards,
>>>>>>>>>>> Amit
>>>>>>>>>>>
>>>>>>>>>>> On Tue, Nov 6, 2012 at 4:52 PM, Michele Comitini <
>>>>>>>>>>> michele.comit...@gmail.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> I suggest looking at code
>>>>>>>>>>>> gluon/contrib/login_methods/x509_auth.py.
>>>>>>>>>>>> Basically you can extract anything from client supplied cert and
>>>>>>>>>>>> use it
>>>>>>>>>>>> with the auth tables of web2py. That is really simple.
>>>>>>>>>>>> The tedious part id getting to know what stuff you can put in
>>>>>>>>>>>> the cert. That is more related to managing a CA than to web2py
>>>>>>>>>>>> itself.
>>>>>>>>>>>>
>>>>>>>>>>>> I have written a simple but functional app for managing a
>>>>>>>>>>>> little CA: simpatiCA <http://goo.gl/nrAhS> ; it is simple
>>>>>>>>>>>> enough to be used as an example and extended to your needs. If
>>>>>>>>>>>> you need a
>>>>>>>>>>>> real CA there are more featured solutions around...
>>>>>>>>>>>>
>>>>>>>>>>>> mic
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> > PS: the man behind X509 auth code in web2py is mcm, sadly for
>>>>>>>>>>>> your it's documented how it works but not how to organize the
>>>>>>>>>>>> certs (which
>>>>>>>>>>>> in > theory you should know in advance)
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> 2012/11/6 Niphlod <niph...@gmail.com>
>>>>>>>>>>>>
>>>>>>>>>>>>> hem... one thing is helping you to create certs and key for a
>>>>>>>>>>>>> SSL protected webserver, quite another to help you managing a
>>>>>>>>>>>>> credential
>>>>>>>>>>>>> store (I really don't have time for that).
>>>>>>>>>>>>> You have problems on finding out what OpenSSL is and want to
>>>>>>>>>>>>> manage X509 ? Really ?
>>>>>>>>>>>>> Maybe it's time to read some docs.
>>>>>>>>>>>>>
>>>>>>>>>>>>> http://www.cafesoft.com/products/cams/ps/docs30/admin/ConfiguringApache2ForSSLTLSMutualAuthentication.html
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> PS: the man behind X509 auth code in web2py is mcm, sadly for
>>>>>>>>>>>>> your it's documented how it works but not how to organize the
>>>>>>>>>>>>> certs (which
>>>>>>>>>>>>> in theory you should know in advance)
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> --
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>> --
>>
>>
>>
>>
>
> --
>
>
>
>
--
