2

So, I'm currently trying to create system for client authentication using the python SSL module. My question is the following: the lines bellow provide me with client authentication?

server side

context.verify_mode = ssl.CERT_REQUIRED;
context.load_verify_locations(cafile="ca_bundle.pem");
context.check_hostname = False;

client side

context.load_cert_chain(certfile="client_crt.pem", keyfile="client_private_key.pem")
context.load_verify_locations(cafile=CERT_AU);

".CERT_REQUERIED" is explained here, and load_verify_locations here. The last line is because my certificates use ids as common names, rather than DNS names or IP addresses.

What I want to do is force the client to send me his certificate with a signature and compare the signature with public key he provided, i.e., showing that he truly has the private key assigned to that certificate.

These lines provide this to me? If not, how can achieve client authentication in python?

==EDIT== For anyone still interested here is a little more o code snippet (note: my actual code is too big, so I'm just posting the relevant parts)

server side

# thread iniciado no processo principal
def recebe_conexao_ssl(Client, fim, lock):
        
        sock = socket.socket();
        sock.bind(('', port_ssl));
        sock.listen(5);
        context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH);
        context.load_cert_chain(certfile=my_cert, keyfile=private_key);
        
        '''
        The next 3 lines force the client to send it's own certificate. But, I don't know if it authenticate (i.e. test to see if the client has the private key corresponding to the sent certificate)
        More details: https://docs.python.org/3.8/library/ssl.html#ssl.CERT_REQUIRED
        '''
        context.verify_mode = ssl.CERT_REQUIRED;#
        context.load_verify_locations(cafile=ca_bundle);
        context.check_hostname = False;
        '''
        I don't use check_hostname because my IP's are dynamic
        '''
        context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 
        context.set_ciphers('EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH')

        file = open("client_1.txt", "a");
        file.write("conexao_ssl iniciou\n-----------\n");
        file.close();

        while True:
            ssock, addr = sock.accept();

            start_new_thread(recebimento_individual, (ssock, context, lock));
            print("conexão aceita!")

        print("Servidor desligando!");

client side

def enviar_msg(Client):
    sock = socket.socket(socket.AF_INET);
    context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH);                
    context.set_ciphers('EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH')
    context.check_hostname = False;
    context.load_cert_chain(certfile=my_cert, keyfile=private_key)
    context.load_verify_locations(cafile=ca_bundle);
    conn = context.wrap_socket(sock);
joao_programmer
  • 41
  • 5

0 Answers0