[Python-il] xmlrpc over ssl

Dan Kenigsberg danken at cs.technion.ac.il
Thu Feb 28 19:26:59 IST 2008


On Tue, Jan 08, 2008 at 09:20:07AM +0200, Dan Kenigsberg wrote:
> On Tue, Jan 08, 2008 at 12:07:41AM +0200, Meir Kriheli wrote:
> > Dan Kenigsberg wrote:
> > >Dear List,
> > >
> > >I saw that creating an XML-RPC client-server system in python is very 
> > >simple.
> > >However, when I wanted to see how to do it all over SSL, everything got
> > >complicated. I'd like the server to authenticate the client, and hopefully 
> > >vice
> > >versa. What is the recommended way of doing it?
>  
> > Maybe this can help (note the comments regarding a change for python 2.5):
> > 
> > http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/496786
>  
> Thanks, though it would be nice to understand what's wrong with the pyOpelSSL
> example. 
> 
> This recipe takes me a bit forward, but still does not help much because it does
> not give a clue on how the client should supply its certificate. (it also does
> not give means of checking the certificate on the server, but I'm guessing that 
> this could be changed by adding
> ctx.set_verify(SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb)
> in the appropriate place)
> 
> So, if anyone has an even better bit of info, please come forward.

OK. It took me a awhile to tie the loose ends, but now it works. I'll lay it out
here for the archive's sake.

First, you need to have 
* openssl
* M2Crypto
* a fake truststore in the lines of
    * ts/certs/ca.pem
    * ts/certs/server.pem
    * ts/certs/client.pem
    * ts/keys/server.pem
    * ts/keys/client.pem
Then, in the client, you should 
    ctx.set_verify(SSL.verify_peer | SSL.verify_fail_if_no_peer_cert, 16)
    ctx.load_verify_locations(CACERT)
    ctx.load_cert(CERTFILE, KEYFILE)

I've put a complete working example on
http://www.cs.technion.ac.il/~danken/xmlrpc-ssl.html

Regards,

-- 
Dan Kenigsberg        http://www.cs.technion.ac.il/~danken        ICQ 162180901


More information about the Python-il mailing list