ssl server
Seb
sebastianthegreatful at gmail.com
Thu Sep 18 03:58:33 EDT 2008
On Sep 18, 1:05 am, Michael Palmer <m_palme... at yahoo.ca> wrote:
> On Sep 17, 1:33 pm, Seb <sebastianthegreat... at gmail.com> wrote:
>
>
>
> > I'm making a ssl server, but I'm not sure how I can verify the
> > clients. What do I actually need to place in _verify to actually
> > verify that the client cert is signed by me?
>
> > 50 class SSLTCPServer(TCPServer):
> > 51 keyFile = "sslcert/server.key"
> > 52 certFile = "sslcert/server.crt"
> > 53 def __init__(self, server_address, RequestHandlerClass):
> > 54 ctx = SSL.Context(SSL.SSLv23_METHOD)
> > 55 ctx.use_privatekey_file(self.keyFile)
> > 56 ctx.use_certificate_file(self.certFile)
> > 57 ctx.set_verify(SSL.VERIFY_PEER |
> > SSL.VERIFY_FAIL_IF_NO_PEER_CERT | SSL.VERIFY_CLIENT_ONCE,
> > self._verify)
> > 58 ctx.set_verify_depth(10)
> > 59 ctx.set_session_id('DFS')
> > 60
> > 61 self.server_address = server_address
> > 62 self.RequestHandlerClass = RequestHandlerClass
> > 63 self.socket = socket.socket(self.address_family,
> > self.socket_type)
> > 64 self.socket = SSL.Connection(ctx, self.socket)
> > 65 self.socket.bind(self.server_address)
> > 66 self.socket.listen(self.request_queue_size)
> > 67
> > 68 def _verify(self, conn, cert, errno, depth, retcode):
> > 69 return not cert.has_expired() and
> > cert.get_issuer().organizationName == 'DFS'
>
> If I were you, I would just just hide behind apache, nginx oder
> another server that does ssl. just have that server proxy locally to
> your python server over http, and firewall the python server port.
Good idea, however atm this is a school project so thats not really an
option right now. However I might take this a bit furtherer and use
that solution.
More information about the Python-list
mailing list