Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[python] socket.ssl

10 views
Skip to first unread message

Zdenek Pavlas

unread,
May 9, 2003, 9:14:19 AM5/9/03
to
Ahoj,

Mam problem s SSL na strane serveru. Zatimco klientska SSL negotiation
probehne ok (napriklad kdyz se chci nakonektit na https server), na opacne
strane to probehne takhle:

>>> from socket import *
>>> s=socket(AF_INET, SOCK_STREAM)
>>> s.bind (('', 1080))
>>> s.listen (5)
>>> s.accept ()
(<socket object, fd=4, family=2, type=1, protocol=0>, ('127.0.0.1', 3066))
(po spusteni links https://localhost:1080, ktery je ted ve stavu "ssl
negotiation")
>>> c = _[0]
>>> ssl.__doc__
'ssl(socket, keyfile, certfile) -> sslobject'
>>> ssl (c, 'cert_key.pem', 'cert.pem')
Traceback (most recent call last):
File "<stdin>", line 1, in ?
socket.sslerror: SSL_connect error
..nacez server ten socket zavre protoze links ukaze "connection refused".

Netusi nekdo co delam spatne? Ten private key a self-signed certifikat
je ok, apache nebo stunnel s nim funguji bez jakychkoliv problemu.
Jejich nacteni a overeni je take ok protoze kdyz je bud prohodim
nebo zkratim na nulovou delku, dostanu jinou chybovou hlasku.

--
Zdenek Pavlas

_______________________________________________
python mailing list
pyt...@py.cz
http://www.py.cz/mailman/listinfo/python

Radek Kanovsky

unread,
May 9, 2003, 9:40:49 AM5/9/03
to

Nikde jsem to napsane nevidel, ale podle me je socket.ssl delan jenom
pro klienty. Na server je potreba pouzit modul openssl nebo neco jineho.

Radek Kaňovský

-----------------------------------------------------------------
from OpenSSL import SSL
import os, socket

PORT = 50007

def verify_cb(conn, cert, errnum, depth, ok):
# This obviously has to be updated
print 'Got certificate: %s' % cert.get_subject()
return ok

# Initialize context
ctx = SSL.Context(SSL.SSLv23_METHOD)
ctx.set_options(SSL.OP_NO_SSLv2)
#ctx.set_verify(SSL.VERIFY_PEER|SSL.VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb)
ctx.set_verify(SSL.VERIFY_PEER, verify_cb)
ctx.use_privatekey_file ('key.pem')
ctx.use_certificate_file('cert.pem')
#ctx.load_verify_locations(os.path.join(dir, 'CA.cert'))

# Set up server
server = SSL.Connection(ctx, socket.socket(socket.AF_INET, socket.SOCK_STREAM))
server.bind(('', PORT))
server.listen(3)
#server.setblocking(0)

cli, addr = server.accept()
print cli, addr
data = cli.recv(1024)
cli.send(data)
cli.shutdown()

ViNiL

unread,
May 9, 2003, 9:35:26 AM5/9/03
to
Dne pá 9. května 2003 15:14 Zdenek Pavlas napsal(a):
> Ahoj,

> Traceback (most recent call last):
> File "<stdin>", line 1, in ?
> socket.sslerror: SSL_connect error
> ..nacez server ten socket zavre protoze links ukaze "connection refused".
>
> Netusi nekdo co delam spatne?

Copak to je za Python? Ja ted koukam na 2.2.2 a tady mi pripada, ze takhle
strohy Error objekt to snad ani nemuze vygenerovat ;-) Tady to na vsechno
poctive vola SSL_get_error() a podle toho to vytvori deskriptivni vyjimku....

--

ViNiL, the GNU Hippie

"bring them to me -- alive and unspoiled"

Zdenek Pavlas

unread,
May 9, 2003, 10:03:43 AM5/9/03
to
ViNiL wrote:

> Copak to je za Python? Ja ted koukam na 2.2.2 a tady mi pripada, ze takhle
> strohy Error objekt to snad ani nemuze vygenerovat ;-) Tady to na vsechno
> poctive vola SSL_get_error() a podle toho to vytvori deskriptivni vyjimku....

Byla to 2.1.3, defaultni v aktualnim stable Debianu.
Zkusil jsem to same v 2.2.1:
socket.sslerror: (1, 'error:140770FC:SSL
routines:SSL23_GET_SERVER_HELLO:unknown protocol')

..coz je divny, _socket.so i links je sestaven oproti stejne libssl.so
Podivny je ze server ceka na SERVER_HELO. Himbajs neni ten protokol
nesymetrickej? Ja myslel ze je to symetricky..

--
Zdenek Pavlas
Application Developer
NEXTRA Czech Republic s.r.o. http://www.nextra.cz
V Celnici 10 / CZ - 117 21 Praha 1 / Czech Republic
Tel: +420/2/96 355 111
E-Mail: zdenek...@nextra.com

Contact address:
Hlinky 114 / CZ - 603 00 Brno / Czech Republic
Tel: +420/5/43 554 170
Fax: +420/5/43 554 112, 214
See Disclaimer http://www.nextra.cz/disclaimer

Zdenek Pavlas

unread,
May 9, 2003, 10:07:04 AM5/9/03
to
Radek Kanovsky wrote:

> Nikde jsem to napsane nevidel, ale podle me je socket.ssl delan jenom
> pro klienty. Na server je potreba pouzit modul openssl nebo neco jineho.

Jojo, uz to tak vypada. Taky o tom mohla byt aspon zminka v dokumentaci.
Diky za priklad pouziti OpenSSL, zkusim to prepsat.

Zdenek Pavlas

unread,
May 9, 2003, 10:53:03 AM5/9/03
to
Radek Kanovsky wrote:

> # Set up server
> server = SSL.Connection(ctx, socket.socket(socket.AF_INET, socket.SOCK_STREAM))
> server.bind(('', PORT))
> server.listen(3)
> #server.setblocking(0)

Bohuzel, nefunguje to kdyz dam jako druhy argument Connection()
uz accept()nuty socket a pak na connection objektu renegotiate(),
spadne to na segv.

Chtel bych komunikovat normalne, v pripade potreby nainstalovat
SSL wrapper a komunikovat sifrovane a pak se vratit k nesifrovane
komunikaci na stejnem socketu. Vypada to ze tohle pyopenssl neumi,
takze budu muset otevirat dalsi sockety. :(

--
Zdenek Pavlas
Application Developer
NEXTRA Czech Republic s.r.o. http://www.nextra.cz
V Celnici 10 / CZ - 117 21 Praha 1 / Czech Republic
Tel: +420/2/96 355 111
E-Mail: zdenek...@nextra.com

Contact address:
Hlinky 114 / CZ - 603 00 Brno / Czech Republic
Tel: +420/5/43 554 170
Fax: +420/5/43 554 112, 214
See Disclaimer http://www.nextra.cz/disclaimer

_______________________________________________

0 new messages