Foundations of Python Network Programming

(WallPaper) #1

Chapter 6 ■ tLS/SSL


102


To keep the code simple, neither the client nor the server in Listing 6-3 runs inside a loop. Instead, they each
make a single attempt at conversation. A simple localhost certificate and a CA that has signed it are available in the
chapter06 directory where the listing is located online; if you would like to use them to test the scripts, they can be
downloaded by visiting the following URLs and clicking the Raw button:


https://github.com/brandon-rhodes/fopnp/blob/m/py3/chapter06/ca.crt
https://github.com/brandon-rhodes/fopnp/blob/m/py3/chapter06/localhost.pem


If you have checked out the entire source code repository for the book’s scripts, then you can skip downloading
them separately and just cd into the chapter06 directory where you will find the scripts and certificates already sitting
next to each other. Either way, Listing 6-3 can then be run successfully as long as the localhost alias is working
correctly on your system as a synonym for the 127.0.0.1 IP address. Start by running the server with -s and the path to
your server PEM file in one terminal window.


$ /usr/bin/python3.4 safe_tls.py -s localhost.pem '' 1060


Remember from Chapter 2 and Chapter 3 that the empty hostname '' tells Python that you want your server
to listen on all available interfaces. Now open another terminal window and, first, run the client with your normal
system list of CA certificates that is used when your browser is operating on the public Internet.


$ /usr/bin/python3.4 safe_tls.py localhost 1060
Connected to host 'localhost' and port 1060
Traceback (most recent call last):
...
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598)


Because no public authority has signed the certificate inside of localhost.pem, your client is refusing to trust the
server. You will also see that the server has died, with a message indicating that the client started a connection attempt
but then abandoned it. Next, restart the server and then rerun the client with the -a option, which tells it to trust any
certificate that the ca.crt has signed.


$ /usr/bin/python3.4 safe_tls.py -a ca.crt localhost 1060
Connected to host 'localhost' and port 1060
b'Simple is better than complex.'


This time, you can see that the conversation has been a complete success, with a simple message having been
delivered from server to client. If you turn on a packet sniffer like tcpdump, you will find it impossible to decipher the
plain text of the message from the packet contents you capture. On my system, I can monitor the conversation by
running the following command as root (check your operating system documentation for how you might perform
packet capture on your own machine with tcpdump or WireShark or some other tool):


tcpdump -n port 1060 -i lo –X


The first few packets will include a bit of legible information: the certificate and public key, which can be safely
sent in the clear since it is, after all, a public key. My packet dump shows me fragments of legible public keys as the
packets pass by.

Free download pdf