xmlrpc security
80 views
Skip to first unread message
kw...@teradactyl.com
Oct 24, 2013, 6:40:50 PM10/24/13
to web...@googlegroups.com
Hi All,
I am new to python and web2py and I really like them both!
Can @xmlrpc provide client side certifcate validation and
actually do the hostname checks on the certificates
(to prevent MITM attacks) when
an application is deployed on an apache server?
I ask this because web2py turned me on to the xmlrpc
interface in python, and running tests there, I had to
really muck with the 2.x python code to get this to
work.
If not, I'm very happy to cleanup my xmlrpc changes to
be incorporated into web2py.
Thanks in advance!
Kris
I am new to python and web2py and I really like them both!
Can @xmlrpc provide client side certifcate validation and
actually do the hostname checks on the certificates
(to prevent MITM attacks) when
an application is deployed on an apache server?
I ask this because web2py turned me on to the xmlrpc
interface in python, and running tests there, I had to
really muck with the 2.x python code to get this to
work.
If not, I'm very happy to cleanup my xmlrpc changes to
be incorporated into web2py.
Thanks in advance!
Kris
Massimo Di Pierro
Oct 25, 2013, 12:31:41 AM10/25/13
to web...@googlegroups.com
I do not think xmlrpc can do this currently.
Please share your code.
Michele Comitini
Oct 25, 2013, 5:44:14 AM10/25/13
to web...@googlegroups.com
It should be possible in combination with gluon/contrib/login_methods/x509_auth.py using the standard @auth_requires_login or checking authorization data in a model after the usual auth=Auth() is properly instantiated and initiated.
mic
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups "web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to web2py+un...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Kristen J. Webb
Oct 25, 2013, 2:35:36 PM10/25/13
to web...@googlegroups.com
Hi guys,
Thanks for the pointers.
I'm trying to use self-signed certs to remove
login/password from the xmlrpc interface
for machine authentication.
Digging more in the docs, it looks like part
of this is apache config.
I'll do some more testing and report
back if/what changes I have to make
to web2py to get it to work.
Kris
On 10/25/13 3:44 AM, Michele Comitini wrote:
> It should be possible in combination
> with gluon/contrib/login_methods/x509_auth.py using the standard
> @auth_requires_login or checking authorization data in a model after the usual
> auth=Auth() is properly instantiated and initiated.
>
> mic
>
>
> 2013/10/25 Massimo Di Pierro <massimo....@gmail.com
> <mailto:massimo....@gmail.com>>
> <mailto:web2py%2Bunsu...@googlegroups.com>.
> Groups "web2py-users" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/web2py/KM71EMUfs8k/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
This message is NOT encrypted
--------------------------------
Mr. Kristen J. Webb
Chief Technology Officer
Teradactyl LLC.
2450 Baylor Dr. S.E.
Albuquerque, New Mexico 87106
Phone: 1-505-338-6000
Email: kw...@teradactyl.com
Web: http://www.teradactyl.com
Providers of Scalable Backup Solutions
for Unique Data Environments
--------------------------------
NOTICE TO RECIPIENTS: Any information contained in or attached to this message
is intended solely for the use of the intended recipient(s). If you are not the
intended recipient of this transmittal, you are hereby notified that you
received this transmittal in error, and we request that you please delete and
destroy all copies and attachments in your possession, notify the sender that
you have received this communication in error, and note that any review or
dissemination of, or the taking of any action in reliance on, this communication
is expressly prohibited.
Regular internet e-mail transmission cannot be guaranteed to be secure or
error-free. Therefore, we do not represent that this information is complete or
accurate, and it should not be relied upon as such. If you prefer to communicate
with Teradactyl LLC. using secure (i.e., encrypted and/or digitally signed)
e-mail transmission, please notify the sender. Otherwise, you will be deemed to
have consented to communicate with Teradactyl via regular internet e-mail
transmission. Please note that Teradactyl reserves the right to intercept,
monitor, and retain all e-mail messages (including secure e-mail messages) sent
to or from its systems as permitted by applicable law.
Thanks for the pointers.
I'm trying to use self-signed certs to remove
login/password from the xmlrpc interface
for machine authentication.
Digging more in the docs, it looks like part
of this is apache config.
I'll do some more testing and report
back if/what changes I have to make
to web2py to get it to work.
Kris
On 10/25/13 3:44 AM, Michele Comitini wrote:
> It should be possible in combination
> with gluon/contrib/login_methods/x509_auth.py using the standard
> @auth_requires_login or checking authorization data in a model after the usual
> auth=Auth() is properly instantiated and initiated.
>
> mic
>
>
> 2013/10/25 Massimo Di Pierro <massimo....@gmail.com
>
> I do not think xmlrpc can do this currently.
> Please share your code.
>
>
> On Thursday, 24 October 2013 17:40:50 UTC-5, kw...@teradactyl.com
> I do not think xmlrpc can do this currently.
> Please share your code.
>
>
> On Thursday, 24 October 2013 17:40:50 UTC-5, kw...@teradactyl.com
> --
> Resources:
> - http://web2py.com
> - http://web2py.com/book (Documentation)
> - http://github.com/web2py/web2py (Source code)
> - https://code.google.com/p/web2py/issues/list (Report Issues)
> ---
> You received this message because you are subscribed to a topic in the Google
> Resources:
> - http://web2py.com
> - http://web2py.com/book (Documentation)
> - http://github.com/web2py/web2py (Source code)
> - https://code.google.com/p/web2py/issues/list (Report Issues)
> ---
> Groups "web2py-users" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/web2py/KM71EMUfs8k/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> web2py+un...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
--
> For more options, visit https://groups.google.com/groups/opt_out.
This message is NOT encrypted
--------------------------------
Mr. Kristen J. Webb
Chief Technology Officer
Teradactyl LLC.
2450 Baylor Dr. S.E.
Albuquerque, New Mexico 87106
Phone: 1-505-338-6000
Email: kw...@teradactyl.com
Web: http://www.teradactyl.com
Providers of Scalable Backup Solutions
for Unique Data Environments
--------------------------------
NOTICE TO RECIPIENTS: Any information contained in or attached to this message
is intended solely for the use of the intended recipient(s). If you are not the
intended recipient of this transmittal, you are hereby notified that you
received this transmittal in error, and we request that you please delete and
destroy all copies and attachments in your possession, notify the sender that
you have received this communication in error, and note that any review or
dissemination of, or the taking of any action in reliance on, this communication
is expressly prohibited.
Regular internet e-mail transmission cannot be guaranteed to be secure or
error-free. Therefore, we do not represent that this information is complete or
accurate, and it should not be relied upon as such. If you prefer to communicate
with Teradactyl LLC. using secure (i.e., encrypted and/or digitally signed)
e-mail transmission, please notify the sender. Otherwise, you will be deemed to
have consented to communicate with Teradactyl via regular internet e-mail
transmission. Please note that Teradactyl reserves the right to intercept,
monitor, and retain all e-mail messages (including secure e-mail messages) sent
to or from its systems as permitted by applicable law.
kw...@teradactyl.com
Nov 6, 2013, 11:14:23 AM11/6/13
to web...@googlegroups.com
Here is my current solution:
First, I optionally obtain the client cert and set environment variables in apache:
SSLVerifyClient optional
SSLVerifyDepth 2
SSLOptions +StdE
This allows login via browers to not require a client cert (using Auth instead)
Then I read up on decorators and created a simple one to verify the client IP with
the common name using the apache ssl environment in my model:
def gethostips(host, type=None):
ips = set()
if type:
types = (type,)
else:
types = (socket.AF_INET,
socket.AF_INET6)
for t in types:
try:
res = socket.getaddrinfo(host, None,
t, socket.SOCK_STREAM)
except socket.error:
continue
nips = set([x[4][0] for x in res])
ips.update(nips)
return list(ips)
# more todo...
def check_client_cert(f):
if not request.env.ssl_client_s_dn_cn is None:
for i in gethostips(request.env.ssl_client_s_dn_cn):
if i == request.env.remote_addr:
return f
return False
Now I can decorate my xmlrpc requests with:
@service.xmlrpc
@check_client_cert
def my_function(my_args):
In this way, I can customize cert checks for my application.
NOTE: If the ips do not match the client gets a trace with:
xmlrpclib.ProtocolError: <ProtocolError for client:443/tibs1/default/call/xmlrpc: 500 INTERNAL SERVER ERROR>
My two questions are:
1. Does using decorators seem reasonable for what I'm trying to do
(i.e. any glaring security issues come to mind)?
2. Is there a better way to exit the decorator on error besides just returning False?
I always like to leave the attacker as confused as possible ;)
Kris
First, I optionally obtain the client cert and set environment variables in apache:
SSLVerifyClient optional
SSLVerifyDepth 2
SSLOptions +StdE
This allows login via browers to not require a client cert (using Auth instead)
Then I read up on decorators and created a simple one to verify the client IP with
the common name using the apache ssl environment in my model:
def gethostips(host, type=None):
ips = set()
if type:
types = (type,)
else:
types = (socket.AF_INET,
socket.AF_INET6)
for t in types:
try:
res = socket.getaddrinfo(host, None,
t, socket.SOCK_STREAM)
except socket.error:
continue
nips = set([x[4][0] for x in res])
ips.update(nips)
return list(ips)
# more todo...
def check_client_cert(f):
if not request.env.ssl_client_s_dn_cn is None:
for i in gethostips(request.env.ssl_client_s_dn_cn):
if i == request.env.remote_addr:
return f
return False
Now I can decorate my xmlrpc requests with:
@service.xmlrpc
@check_client_cert
def my_function(my_args):
In this way, I can customize cert checks for my application.
NOTE: If the ips do not match the client gets a trace with:
xmlrpclib.ProtocolError: <ProtocolError for client:443/tibs1/default/call/xmlrpc: 500 INTERNAL SERVER ERROR>
My two questions are:
1. Does using decorators seem reasonable for what I'm trying to do
(i.e. any glaring security issues come to mind)?
2. Is there a better way to exit the decorator on error besides just returning False?
I always like to leave the attacker as confused as possible ;)
Kris
Reply all
Reply to author
Forward
0 new messages