python - Two-way ssl authentication for flask -

-

i have implemented ssl communication client application verifies identity of ssl server application using flask. want ssl server application verify identity of ssl-client application. possible flask ? how verify client certificate ? during first handshake client sending csr , in response sending certificate signed self signed ca certificate.

but not yet clear how client verified server while next communication. there callback cert verification. link on google groups says not possible have ssl authentication on flask. in order 1 need use webserver apache,ngnix. way authenticate client ?

there 1 more thing want achieve need identify each client based on certificate. possible flask.

my question naive not yet familiar flask

disclaimer

before start note @emanuel ey's comment. want consider if being done on production or development server first. example; if using apache webserver https component can done apache. thing differently pass through certificate details options , server app verify serial number within app itself.

it possible

but way possible not considered programming practice. unfortunately, it's not accessible flask.request , not possible flask package. however, flask uses werkzeug , possible patching werkzeug.serving package writing main flask code. not recommended because may want update flask or werkzeug later , patch might break , need re-factored. i.e. 0.9 1.0.

this provides solution without using web server. recommend web server/environment variable combo. cleaner , comparatively practice.

i have done testing see if easy implement. able confirm method can work using latest development codebase 'werkzeug-0.10_devdev_20141223-py2.7'.

you'll want verify of serial number (seed number) found in each certificate (and maybe other variables). may know, serial unique each certificate , determined during certificate generation process on server side. helps store along clients record , certificate information (where appropriate) in order verify client certificate serial number later on. note: may require alterations between hex , base 10 decimal.

werkzeug dev_2014122

what did add in following options werkzeug.serving.basewsgiserver.__init__ call wrap_socket().

use these; server_side=true, ca_certs= '/etc/apache2/ssl/ca.pem', cert_reqs=ssl.cert_required

  • ca_certs: use verify against, ca cert used generate client certificates)
  • ssl.cert_required: require client certificate verification against ca_certs

note: if client certificate not pass initial verification not able fetch client certificate. none.

then in flask test class patched verify_request where

def verify_request(self, request, client_address):  cert = request.getpeercert(true) raw = decoder.decode(cert)[0] print "serial number of certificate is: % " % str(raw[0][1]) # todo: checks & if serial no ok return true return true  werkzeug.serving.basewsgiserver.verify_request = verify_request

this proved possible you'll want investigate request handlers of httpserver class basewsgiserver inherits find better way call or override.

werkzeug 0.9.x

if using werkzeug 0.9.x i'm assuming using import from openssl import ssl. see code snippet here. have not tested this.

some of calls may interested in version be; - context.set_verify(mode, callback) - connection.get_peer_certificate()

clarification

what not understand reference sending csr during first handshake. if process of client certificate generation may want rethink how in context of system , environment. if have more information comment further..

also, 'handshake' in ssl/tls context refers action of creating secure connection in first place using existing certificate. after handshaking, loosely speaking, connection established.


Comments

Post a Comment

Popular posts from this blog

java - Intellij Synchronizing output directories .. -

-
i trying build project, run in debug mode , keep getting "synchronizing output directories" in intellij. takes around 5-10 minutes actual build. project empty , stored on local drive. tried invalidate catche has not worked. out of ideas .. had similar issues? most likely, of data on network drive or in profile being synchronized network drive. if on windows, try moving .ideaxxx/system directory , work directory somewhere else on c: drive.
Read more

git - Initial Commit: "fatal: could not create leading directories of ..." -

-
i trying make initial commit git repository on github unity project. followed along this guide am. note: reason or another, couldn't set unity's asset serialization mode force text, settled on mixed (which believe should work). when call git clone --bare . , error. note not creator of repository , contributor (though making initial commit). here's in terminal (i'm using git bash): welcome git (version 1.8.4-preview20130916) run 'git git' display index. run 'git <command>' display specific commands. cheddar@cheddar-pc ~ $ cd documents/ics168swarch/ cheddar@cheddar-pc ~/documents/ics168swarch $ git init initialized empty git repository in c:/users/cheddar/documents/ics168swarch/.git / cheddar@cheddar-pc ~/documents/ics168swarch (master) $ git add . warning: lf replaced crlf in assets/prefabs.meta. file have original line endings in working directory. warning: lf replaced crlf in assets/prefabs/pellet.prefab.meta. file have original
Read more