SSL/TLS support in Pyro4
Robin Becker
robin at reportlab.com
Fri Aug 4 11:11:04 EDT 2017
On 04/08/2017 15:12, Irmen de Jong wrote:
> On 04/08/2017 15:44, Robin Becker wrote:
..........
> You can specify a CAcert using load_verify_locations on the ssl context. Is that what
> you meant? I figured out that if you set that to the peer's certificate it will then be
yes I think so. Certainly the self signed certs I tried with python3 urllib
seemed to require valid hostnames. If I just use this as server
from http.server import HTTPServer, BaseHTTPRequestHandler, SimpleHTTPRequestHandler
import ssl
httpd = HTTPServer(('localhost', 4443), SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket (httpd.socket,
keyfile="/home/rptlab/tmp/key.pem",
certfile='/home/rptlab/tmp/cert.pem', server_side=True)
httpd.serve_forever()
and this as requester
from urllib import request
req = request.urlopen('https://localhost:4443',
cafile='/home/rptlab/tmp/cert.pem')
print(req.read())
then provided the self signed cert has the name localhost requests can be made OK.
I'm guessing this would also work OK if the cert had multiple names embedded in
it which would allow a small cluster to be used.
I don't know which part of the socket does the host name checking, but perhaps
that can be turned off somewhere.
> accepted. I understand it as much as "hey openssl here is a root cert that you should
> trust if you encounter it".
> Without doing this, the cert is denied on the SSL level (unless you set the ssl options
> to no-cert-required but that is definitely not what I wanted)
>
> Bottom line is I learned something new :)
>
> And also that Python's standard ssl library isn't as bad as I remember it to be a few
> years ago. Is there still a reason to use, say, PyOpenSSL anymore?
>
it's getting better any how.
>
> Irmen
>
--
Robin Becker
More information about the Python-list
mailing list