[issue11943] Add TLS-SRP (RFC 5054) support to ssl, _ssl, http, and urllib

Wed, 27 Apr 2011 15:29:48 -0700 

New submission from Quinn Slack <s...@cs.stanford.edu>:

This patch adds support for TLS-SRP (RFC 5054[1]) to Python ssl.SSLSocket, 
_ssl.c, http, and urllib. TLS-SRP lets a client and server establish a mutually 
authenticated SSL channel using only a username and password (a certificate may 
also be used to supplement authentication).

TLS-SRP is supported in GnuTLS, OpenSSL 1.0.1 (soon to be released), cURL, 
TLSLite (a Python module), and mod_gnutls. There are also patches for Chrome, 
NSS, mod_ssl, Django, Firefox, WordPress, and SJCL (see [2]). Much of the
growing interest in TLS-SRP is because a couple key PAKE patents expired 
recently. Also, CAs are perceived as more vulnerable now than a few years ago, 
and in certain cases TLS-SRP is a good substitute for or supplement to 
certificate auth. Two Python-specific use cases for TLS-SRP are calling HTTP 
APIs that require auth, and test suites written in Python for networked 
software (e.g., Chromium uses TLSLite for network testing).

I'm submitting this patch now to begin gathering feedback.

###########################################################
EXAMPLE USAGE
###########################################################

import urllib.request
res = urllib.request.urlopen("https://tls-srp.test.trustedhttp.org/";
                             tls_username='jsmith', tls_password='abc')
print(res.read())
# => "user: jsmith"

###########################################################

import ssl, http
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
context.set_tls_username_password('jsmith', 'abc')
h = http.client.HTTPSConnection('tls-srp.test.trustedhttp.org', 443, 
context=context)
h.request('GET', '/')
resp = h.getresponse()
print(resp.status)
# => 200
print(resp.read())
# => "user: jsmith"

###########################################################

import socket, ssl
with socket.socket() as sock:
    s = ssl.wrap_socket(sock,
                        ssl_version=ssl.PROTOCOL_TLSv1,
                        ciphers='SRP',
                        tls_username='jsmith',
                        tls_password='abc')
    s.connect(('tls-srp.test.trustedhttp.org', 443))
    s.write(b"GET / HTTP/1.0\n\n")
    print(s.read())

###########################################################



[1] http://tools.ietf.org/html/rfc5054
[2] http://trustedhttp.org/
[3] http://trustedhttp.org/wiki/TLS-SRP_in_Python

----------
components: Library (Lib)
files: python+tls-srp-20110427.patch
hgrepos: 23
keywords: patch
messages: 134627
nosy: sqs
priority: normal
severity: normal
status: open
title: Add TLS-SRP (RFC 5054) support to ssl, _ssl, http, and urllib
versions: Python 3.3
Added file: http://bugs.python.org/file21815/python+tls-srp-20110427.patch

_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue11943>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to