I'm trying to understand the semantics of the SSL Sockets in Thrift. In particular what the fields: ca_certs, keyfile,and certfile accomplish.
Is the usage that on a client the keyfile is a path to a private key and then this is verified using a cert on the server side using a cert in the certfile
The fields seem inverted to me, in that I would expect to see a keyfile field on the server side and not client side.
Is the certfile on the server side truly a pem (meaning a combination of public cert and private key) or is it just a cert?
what is the proper usage to authenticate client to server and vice versa?
TSSLSocket Initializer
def __init__(self,
host='localhost',
port=9090,
validate=True,
ca_certs=None,
keyfile=None,
certfile=None,
unix_socket=None,
ciphers=None):
"""Create SSL TSocket
@param validate: Set to False to disable SSL certificate validation
@type validate: bool
@param ca_certs: Filename to the Certificate Authority pem file, possibly a
file downloaded from: http://curl.haxx.se/ca/cacert.pem This is passed to
the ssl_wrap function as the 'ca_certs' parameter.
@type ca_certs: str
@param keyfile: The private key
@type keyfile: str
@param certfile: The cert file
@type certfile: str
@param ciphers: The cipher suites to allow. This is passed to
the ssl_wrap function as the 'ciphers' parameter.
@type ciphers: str
Raises an IOError exception if validate is True and the ca_certs file is
None, not present or unreadable.
"""
Server side:
class TSSLServerSocket(TSocket.TServerSocket):
SSL_VERSION = ssl.PROTOCOL_TLSv1
def __init__(self,
host=None,
port=9090,
certfile='cert.pem',
unix_socket=None,
ciphers=None):
