Python and SSL

["Martin v. Löwis"]

> - I noticed that socket module provides an SSL class (socket.ssl) but
> even if documentation reports that it does not do any certificate
> verification a lot of stdlib modules (imaplib, poplib, smtplib,
> httplib and urllib2) provides SSL extension classes wherein socket.ssl
> is used. What does it mean?

It means that these modules can do encrypted communication for their
respective protocol. They cannot validate that they are really talking
to the server they think they talk to (so they are prone to a
man-in-the-middle attack), however, as communication is encrypted, they
are protected against wire-tapping. Also, some servers require
encrypted connections (e.g. when passwords are transmitted), so they
can use SSL for that.

> - On top of that why such extension classes [examples: 1, 2, 3]
> accepts key-files and cert-files as optional argouments if no
> certificate verification occurs?
> [1] poplib.POP3_SSL( host[, port[, keyfile[, certfile]]])
> [2] imaplib.IMAP4_SSL( [host[, port[, keyfile[, certfile]]]])
> [3] smtplib.starttls( [keyfile[, certfile]])

These are client certificates. Some servers require that clients
authenticate through client certificates. This effectively avoids
man-in-the-middle attacks, as the server will validate the client's
certificate.

> - By searching through the web I found some daemons supporting SSL
> such as this one:
> http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/442473
> By looking at the code I notice that pyopenssl package is used and
> that a certificate file is required. Why do I need to use pyopenssl
> and how do I generate the cert file?

You can generate certificate files using the openssl command line
tool; see the openssl documentation for details.

Martin