URLopener with x509?

[Paul Rubin]

parameter at go.com (bilbo) writes:
> I'd like to use https with Python as a client to a private apache
> server.

Good plan.

> Because it's my server and my client, I thought I could create my own
> RSA keys.

Yes you can.

> URLopener looks promising.  It can take arguments called key_file and
> a cert_file.  That sounds like what I need.  The documentation leaves
> me wondering what should be in the key_file and cert_file.  Does
> anyone have an example of doing this?

Last I looked, URLopener doesn't check certificates, but maybe it
does by now.

> Does the client need a private key for an https connection?

It's optional.  It's considered the most secure way to authenticate
the client to the server, and eases management if you want to run a
server that talks to a lot of different authenticated partners (just
run a CA and give them certificates for public keys that they generate
themselves).  If you don't want to bother with this, since you control
both the client and server ends, just set up a shared secret key
string between them, for example in an HTTP cookie or HTTP basic
authentication.  Either of these will run underneath the SSL
encryption layer so the secret string won't be interceptable by
network snooping.

> The code I've tested so far works with official keys from a
> certificate authority, but not with my keys (I'm testing without using
> the key_file and cert_file arguments).
> 
> I'm hoping I can somehow refer the client to the server's public key
> and have the client trust it without asking a certificate authority.

Normally you would set up your own certificate authority and issue
certs from it.  See the ModSSL docs for how to do this.  There's a
rudimentary CA (perl script) included with OpenSSL and a fancier one
written in Python at www.pyca.de.