classification
Title: Add TLS-SRP (RFC 5054) support to ssl, _ssl, http, and urllib
Type: enhancement Stage: patch review
Components: Library (Lib) Versions: Python 3.4
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: christian.heimes, debatem1, jcea, orsenthil, pitrou, sqs
Priority: normal Keywords: patch

Created on 2011-04-27 22:28 by sqs, last changed 2013-06-14 14:08 by christian.heimes.

Files
File name Uploaded Description Edit
python+tls-srp-20110427.patch sqs, 2011-04-27 22:28 add TLS-SRP (RFC 5054) support to ssl, _ssl, http, urllib + tests
Repositories containing patches
https://bitbucket.org/sqs/cpython
Messages (11)
msg134627 - (view) Author: Quinn Slack (sqs) Date: 2011-04-27 22:28
This patch adds support for TLS-SRP (RFC 5054[1]) to Python ssl.SSLSocket, _ssl.c, http, and urllib. TLS-SRP lets a client and server establish a mutually authenticated SSL channel using only a username and password (a certificate may also be used to supplement authentication).

TLS-SRP is supported in GnuTLS, OpenSSL 1.0.1 (soon to be released), cURL, TLSLite (a Python module), and mod_gnutls. There are also patches for Chrome, NSS, mod_ssl, Django, Firefox, WordPress, and SJCL (see [2]). Much of the
growing interest in TLS-SRP is because a couple key PAKE patents expired recently. Also, CAs are perceived as more vulnerable now than a few years ago, and in certain cases TLS-SRP is a good substitute for or supplement to certificate auth. Two Python-specific use cases for TLS-SRP are calling HTTP APIs that require auth, and test suites written in Python for networked software (e.g., Chromium uses TLSLite for network testing).

I'm submitting this patch now to begin gathering feedback.

###########################################################
EXAMPLE USAGE
###########################################################

import urllib.request
res = urllib.request.urlopen("https://tls-srp.test.trustedhttp.org/"
                             tls_username='jsmith', tls_password='abc')
print(res.read())
# => "user: jsmith"

###########################################################

import ssl, http
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
context.set_tls_username_password('jsmith', 'abc')
h = http.client.HTTPSConnection('tls-srp.test.trustedhttp.org', 443, context=context)
h.request('GET', '/')
resp = h.getresponse()
print(resp.status)
# => 200
print(resp.read())
# => "user: jsmith"

###########################################################

import socket, ssl
with socket.socket() as sock:
    s = ssl.wrap_socket(sock,
                        ssl_version=ssl.PROTOCOL_TLSv1,
                        ciphers='SRP',
                        tls_username='jsmith',
                        tls_password='abc')
    s.connect(('tls-srp.test.trustedhttp.org', 443))
    s.write(b"GET / HTTP/1.0\n\n")
    print(s.read())

###########################################################



[1] http://tools.ietf.org/html/rfc5054
[2] http://trustedhttp.org/
[3] http://trustedhttp.org/wiki/TLS-SRP_in_Python
msg134675 - (view) Author: Jesús Cea Avión (jcea) * (Python committer) Date: 2011-04-28 13:20
The idea seems interesting. I will check the RFC ASAP. The patch should include documentation updates, though. You can update the issue number in the NEWS file, also.

Do you plan to complete the sections marked as "TODO"? 

PS: The mercurial repository URL you are linking has an unnedeed username, and firefox complains about it.
msg134676 - (view) Author: Jesús Cea Avión (jcea) * (Python committer) Date: 2011-04-28 13:23
Also, I will not invest too much time on this until OpenSSL 1.0.1 is released, with support for this.
msg134684 - (view) Author: Quinn Slack (sqs) Date: 2011-04-28 15:25
Thanks for checking this out. Yes, this should wait for OpenSSL 1.0.1.

I will fix the TODO. It is there because the current TLS-SRP patch to OpenSSL uses old (pre-RFC 5054) TLS alert values for when the SRP username isn't in the Client Hello. I'm preparing another patch to OpenSSL to fix these, and then I'll update this patch.

I'll also include docs.
msg134920 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2011-05-01 19:19
Thanks for the patch. Some preliminary comments:

- the OpenSSL functions you are using (SSL_get_srp_username etc.) don't seem documented on openssl.org; this makes it harder to do a proper review
- no need to fill Misc/ACKS and Misc/NEWS by yourself, we can take care of that
- what is an "SRP vbase"? is it something standardized, or OpenSSL-specific?
- if server-side support needs a callback, I think it would be better to let users write their callback in Python, rather than force a hardwired implementation
- ssl.wrap_socket() is the legacy API, I would rather add new features only to the SSLContext API
msg135164 - (view) Author: Quinn Slack (sqs) Date: 2011-05-04 23:57
I have updated the patch in hg to address the sections marked "TODO" (after I submitted a patch to OpenSSL that they depended on). I'll resubmit a patch here in a ~week addressing that issue and those below, to continue pushing this issue along.

pitrou: Thanks for your feedback.

> - the OpenSSL functions you are using (SSL_get_srp_username etc.) don't seem documented on openssl.org; this makes it harder to do a proper review

Yes...I'll submit some docs to OpenSSL on these functions.

> - what is an "SRP vbase"? is it something standardized, or OpenSSL-specific?
> - if server-side support needs a callback, I think it would be better to let users write their callback in Python, rather than force a hardwired implementation

An SRP "vbase" is OpenSSL's name for the SRP password (verifier) database. I will generalize this interface so that Python callbacks can be provided (in addition to using an OpenSSL verifier database).

> - no need to fill Misc/ACKS and Misc/NEWS by yourself, we can take care of that
> - ssl.wrap_socket() is the legacy API, I would rather add new features only to the SSLContext API

Got it.
msg159951 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2012-05-04 17:53
Quinn, are you planning to work on an updated patch?
msg170223 - (view) Author: Jesús Cea Avión (jcea) * (Python committer) Date: 2012-09-10 19:41
Ping!.
msg170282 - (view) Author: Senthil Kumaran (orsenthil) * (Python committer) Date: 2012-09-11 09:20
2012/9/10 Jesús Cea Avión <report@bugs.python.org>:
>
> Ping!.

Guess, it is still for 3.4.
msg170307 - (view) Author: Jesús Cea Avión (jcea) * (Python committer) Date: 2012-09-11 13:52
Yes, 3.4.

I would hate to rush, in two years, because this issue was neglected during 18 months :)

No reason for not starting now.
msg170308 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2012-09-11 14:05
Le mardi 11 septembre 2012 à 13:52 +0000, Jesús Cea Avión a écrit :
> No reason for not starting now.

There's no point in being pushy, though. If you want to "start", the
best thing is to work on the patch and update it.
History
Date User Action Args
2013-06-14 14:08:58christian.heimessetnosy: + christian.heimes
2012-09-11 14:05:24pitrousetmessages: + msg170308
2012-09-11 13:52:55jceasetmessages: + msg170307
2012-09-11 09:20:25orsenthilsetmessages: + msg170282
2012-09-10 19:41:17jceasetmessages: + msg170223
2012-06-29 00:05:46pitrousetversions: + Python 3.4, - Python 3.3
2012-05-04 17:53:32pitrousetmessages: + msg159951
2011-05-04 23:57:21sqssetmessages: + msg135164
2011-05-01 19:19:20pitrousetmessages: + msg134920
2011-04-28 15:25:26sqssetmessages: + msg134684
2011-04-28 13:23:21jceasetmessages: + msg134676
2011-04-28 13:20:39jceasetmessages: + msg134675
2011-04-28 13:07:29orsenthilsetnosy: + orsenthil
2011-04-28 12:59:14jceasetnosy: + jcea
2011-04-27 22:55:08pitrousetnosy: + pitrou, debatem1

type: enhancement
stage: patch review
2011-04-27 22:28:50sqscreate