tlslite readme摘要

?

python之TLS使用

?

版本

tlslite version 0.3.8

?

下载

http://trevp.net/tlslite/

?

安装

sudo python setup.py install

?

测试安装

cd test

tls.py servertest localhost:4443 .

tls.py clienttest localhost:4443 .

?

ubuntu/python2.7:

/usr/local/bin/tls.py

/usr/local/lib/python2.7/dist-packages/tlslite/TLSConnection.py

?

命令行

'tlsdb.py' 管理共享钥和验证用户-共享钥，SRP密码数据库

'tls.py' 测试其他TLS实现

?

运行SRP server:

?tlsdb.py createsrp verifierDB

?tlsdb.py add verifierDB alice abra123cadabra 1024

?tlsdb.py add verifierDB bob swordfish 2048

?sudo tls.py serversrp localhost:443 verifierDB

连接server:

?tls.py clientsrp localhost:443 alice abra123cadabra

?

基本使用步骤

Step 1 - 创建socket

记得设置超时处理

?from socket import *

?sock = socket(AF_INET, SOCK_STREAM)

?sock.connect( ("www.amazon.com", 443) )

?sock.settimeout(10) ?#Only on python 2.3 or greater

Step 2 - 创建TLS连接

?from tlslite.api import *

?connection = TLSConnection(sock)

Step 3 - 调用握手函数(client)

可以根据验证方式，使用不同的握手实现：

?connection.handshakeClientCert() #无需客户端验证(authentication)

?connection.handshakeClientCert(certChain, privateKey)

?connection.handshakeClientSRP("alice", "abra123cadabra")

?connection.handshakeClientSharedKey("alice", "PaVBVZkYqAjCQCu6UBL2xgsnZhw")

?connection.handshakeClientUnknown(srpCallback, certCallback)

ClientCert私钥获取：

#Load cryptoID certChain and privateKey. ?Requires cryptoIDlib.

from cryptoIDlib.CertChain import CertChain

s = open("./test/clientCryptoIDChain.xml").read()

certChain = CertChain()

certChain.parse(s)

s = open("./test/clientCryptoIDKey.xml").read()

privateKey = parseXMLKey(s, private=True)

#Load X.509 certChain and privateKey.

s = open("./test/clientX509Cert.pem").read()

x509 = X509()

x509.parse(s)

certChain = X509CertChain([x509])

s = open("./test/clientX509Key.pem").read()

privateKey = parsePEMKey(s, private=True)

SRP and SharedKey都需要手动验证用户名和密码.

不同的是，SRP较慢，但对低熵密码安全；shared keys快速，但只对高熵密码安全。

一般情况下，SRP用于人类可识别记忆的密码，在使用随机码作为密码时才使用shared keys

Unknown用于当无法知道server是否需要client authentication的时候

两个回调函数SRP callback和certificate callback 通常接受一个包含(username, password)，(certChain,privateKey)或者的tuple

通过HandshakeSettings 更多地控制handshake：

settings = HandshakeSettings()

settings.minKeySize = 2048

settings.cipherNames = ["aes256"]

settings.minVersion = (3,1)

connection.handshakeClientSRP("alice", "abra123cadabra", settings=settings)

重用session：

connection.handshakeClientSRP("alice", "abra123cadabra")

……

oldSession = connection.session

connection2.handshakeClientSRP("alice", "abra123cadabra", session=oldSession)

Step 3 - 调用握手函数(server)

server只有一个handshake函数，但不同的验证方式参数不同

SRP authentication要通过VerifierDB来验证数据库的密码

verifierDB = VerifierDB("./test/verifierDB") #无参数代表内存数据库

#打开已存在的

verifierDB.open()

#创建新的

verifier = VerifierDB.makeVerifier("alice", "abra123cadabra", 2048)

verifierDB["alice"] = verifier

#执行握手

connection.handshakeServer(verifierDB=verifierDB)

shared key authentication

sharedKeyDB = SharedKeyDB("./test/sharedkeyDB")

sharedKeyDB.open()

sharedKeyDB["alice"] = "PaVBVZkYqAjCQCu6UBL2xgsnZhw"

connection.handshakeServer(sharedKeyDB=sharedKeyDB)

a certificate and private key authentication

connection.handshakeServer(certChain=certChain, privateKey=privateKey, reqCert=True)

?

通过SessionCache重用客户端session

sessionCache = SessionCache()

connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache)

Step 4 - 检查结果

如果握手结束没有出现异常，验证结果将被保存在connection's session object

如下variables是常用的：

connection.session.srpUsername ? ? ? #string

connection.session.sharedKeyUsername #string

connection.session.clientCertChain ? #X509CertChain or cryptoIDlib.CertChain.CertChain

connection.session.serverCertChain ? #X509CertChain or cryptoIDlib.CertChain.CertChain

Both types of certificate chain object support the getFingerprint() function,

X.509对象返回 the end-entity fingerprint并忽略其他证书

CryptoID fingerprints (也就是 "cryptoIDs") 是基于根证书(root cryptoID certificate)的, 所以必须在CertChain中调用validate()确保真的和cryptoID通话.

try:

checker = Checker(\x509Fingerprint='e049ff930af76d43ff4c658b268786f4df1296f2')

connection.handshakeClientCert(checker=checker)

except TLSAuthenticationError:

print "Authentication failure"

错误类型略

Step 5 - 交换数据

创建连接后，使用socket.SSL对象的read() and write()?

或者使用socket对象的send(), sendall(), recv(), 和makefile()

会导致的异常：TLSLocalAlert,TLSRemoteAlert, socket.error, or TLSAbruptCloseError

Step 6 - 关闭连接

调用close()

?

?

HTTPTLSConnection对httplib的扩展

? #没有验证

? h = HTTPTLSConnection("www.amazon.com", 443)

? h.request("GET", "")

? r = h.getresponse()

……

?

? #基于服务器X.509 fingerprint的验证

? h = HTTPTLSConnection("www.amazon.com", 443, x509Fingerprint="e049ff930af76d43ff4c658b268786f4df1296f2")

……

?

? #基于服务器 X.509 chain (需要cryptlib_py)的验证

? h = HTTPTLSConnection("www.amazon.com", 443, x509TrustList=[verisignCert], x509CommonName="www.amazon.com")

……

?

? #基于服务器cryptoID的验证

? h = HTTPTLSConnection("localhost", 443, cryptoID="dmqb6.fq345.cxk6g.5fha3")

……

?

? #使用SRP手动验证

? h = HTTPTLSConnection("localhost", 443, username="alice", password="abra123cadabra")

……

?

? #使用shared key手动验证

? h = HTTPTLSConnection("localhost", 443, username="alice", sharedKey="PaVBVZkYqAjCQCu6UBL2xgsnZhw")

……

?

? #基于服务器cryptoID 使用SRP, *AND*手动验证

? h = HTTPTLSConnection("localhost", 443, username="alice", password="abra123cadabra", cryptoID="dmqb6.fq345.cxk6g.5fha3")

……

?

?

XMLRPCTransport对xmlrpclib的扩展

? from tlslite.api import XMLRPCTransport

? from xmlrpclib import ServerProxy

?

? #No authentication whatsoever

? transport = XMLRPCTransport()

? server = ServerProxy("https://localhost", transport)

? server.someFunc(2, 3)

……

?

? #Authenticate server based on its X.509 fingerprint

? transport = XMLRPCTransport(\

? ? ? ? ? x509Fingerprint="e049ff930af76d43ff4c658b268786f4df1296f2") ?

……

?

?

POP3_TLS对poplib的扩展

IMAP4_TLS对imaplib的扩展

?

? #To connect to a POP3 server over SSL and display its fingerprint:

? from tlslite.api import *

? p = POP3_TLS("---------.net")

? print p.sock.session.serverCertChain.getFingerprint()

……

?

? #To connect to an IMAP server once you know its fingerprint:

? from tlslite.api import *

? i = IMAP4_TLS("cyrus.andrew.cmu.edu", x509Fingerprint="00c14371227b3b677ddb9c4901e6f2aee18d3e45")

…… ?

?

?

SMTP_TLS对smtplib的扩展

? #To connect to an SMTP server once you know its fingerprint:

? from tlslite.api import *

? s = SMTP_TLS("----------.net")

? s.starttls(x509Fingerprint="7e39be84a2e3a7ad071752e3001d931bf82c32dc")

……

?

?

SocketServer的使用

?

? from SocketServer import *

? from BaseHTTPServer import *

? from SimpleHTTPServer import *

? from tlslite.api import *

?

? s = open("./serverX509Cert.pem").read()

? x509 = X509()

? x509.parse(s)

? certChain = X509CertChain([x509])

?

? s = open("./serverX509Key.pem").read()

? privateKey = parsePEMKey(s, private=True)

?

? sessionCache = SessionCache()

?

? class MyHTTPServer(ThreadingMixIn, TLSSocketServerMixIn, HTTPServer):

? ? ? def handshake(self, tlsConnection):

? ? ? ? ? try:

? ? ? ? ? ? ? tlsConnection.handshakeServer(certChain=certChain,

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? privateKey=privateKey,

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? sessionCache=sessionCache)

? ? ? ? ? ? ? tlsConnection.ignoreAbruptClose = True

? ? ? ? ? ? ? return True

? ? ? ? ? except TLSError, error:

? ? ? ? ? ? ? print "Handshake failure:", str(error)

? ? ? ? ? ? ? return False

?

? httpd = MyHTTPServer(('localhost', 443), SimpleHTTPRequestHandler)

? httpd.serve_forever()

?

?

TLSAsyncDispatcherMixIn.py?

?

? class http_tls_channel(TLSAsyncDispatcherMixIn, http_server.http_channel):

? ? ? ac_in_buffer_size = 16384

?

? ? ? def __init__ (self, server, conn, addr):

? ? ? ? ? http_server.http_channel.__init__(self, server, conn, addr)

? ? ? ? ? TLSAsyncDispatcherMixIn.__init__(self, conn)

? ? ? ? ? self.tlsConnection.ignoreAbruptClose = True

? ? ? ? ? self.setServerHandshakeOp(certChain=certChain, privateKey=privateKey)

?

Twisted协议

?

? from twisted.internet.protocol import Protocol, Factory

? from twisted.internet import reactor

? from twisted.protocols.policies import WrappingFactory

? from twisted.protocols.basic import LineReceiver

? from twisted.python import log

? from twisted.python.failure import Failure

? import sys

? from tlslite.api import *

?

? s = open("./serverX509Cert.pem").read()

? x509 = X509()

? x509.parse(s)

? certChain = X509CertChain([x509])

?

? s = open("./serverX509Key.pem").read()

? privateKey = parsePEMKey(s, private=True)

?

? verifierDB = VerifierDB("verifierDB")

? verifierDB.open()

?

? class Echo(LineReceiver):

? ? ? def connectionMade(self):

? ? ? ? ? self.transport.write("Welcome to the echo server!\r\n")

?

? ? ? def lineReceived(self, line):

? ? ? ? ? self.transport.write(line + "\r\n")

?

? class Echo1(Echo):

? ? ? def connectionMade(self):

? ? ? ? ? if not self.transport.tlsStarted:

? ? ? ? ? ? ? self.transport.setServerHandshakeOp(certChain=certChain,

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? privateKey=privateKey,

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? verifierDB=verifierDB)

? ? ? ? ? else:

? ? ? ? ? ? ? Echo.connectionMade(self)

?

? ? ? def connectionLost(self, reason):

? ? ? ? ? pass #Handle any TLS exceptions here

?

? class Echo2(Echo):

? ? ? def lineReceived(self, data):

? ? ? ? ? if data == "STARTTLS":

? ? ? ? ? ? ? self.transport.setServerHandshakeOp(certChain=certChain,

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? privateKey=privateKey,

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? verifierDB=verifierDB)

? ? ? ? ? else:

? ? ? ? ? ? ? Echo.lineReceived(self, data)

?

? ? ? def connectionLost(self, reason):

? ? ? ? ? pass #Handle any TLS exceptions here

?

? factory = Factory()

? factory.protocol = Echo1

? #factory.protocol = Echo2

?

? wrappingFactory = WrappingFactory(factory)

? wrappingFactory.protocol = TLSTwistedProtocolWrapper

?

? log.startLogging(sys.stdout)

? reactor.listenTCP(1079, wrappingFactory)

? reactor.run()

?

?

安全考虑

TLS Lite 是beta-quality code，尚未经过安全分析，风险自保