python - Two-way ssl authentication for flask -
i have implemented ssl communication client application verifies identity of ssl server application using flask. want ssl server application verify identity of ssl-client application. possible flask ? how verify client certificate ? during first handshake client sending csr , in response sending certificate signed self signed ca certificate.
but not yet clear how client verified server while next communication. there callback cert verification. link on google groups says not possible have ssl authentication on flask. in order 1 need use webserver apache,ngnix. way authenticate client ?
there 1 more thing want achieve need identify each client based on certificate. possible flask.
my question naive not yet familiar flask
disclaimer
before start note @emanuel ey's comment. want consider if being done on production or development server first. example; if using apache webserver https component can done apache. thing differently pass through certificate details options , server app verify serial number within app itself.
it possible
but way possible not considered programming practice. unfortunately, it's not accessible flask.request
, not possible flask package. however, flask uses werkzeug , possible patching werkzeug.serving
package writing main flask code. not recommended because may want update flask or werkzeug later , patch might break , need re-factored. i.e. 0.9 1.0.
this provides solution without using web server. recommend web server/environment variable combo. cleaner , comparatively practice.
i have done testing see if easy implement. able confirm method can work using latest development codebase 'werkzeug-0.10_devdev_20141223-py2.7'.
you'll want verify of serial number (seed number) found in each certificate (and maybe other variables). may know, serial unique each certificate , determined during certificate generation process on server side. helps store along clients record , certificate information (where appropriate) in order verify client certificate serial number later on. note: may require alterations between hex , base 10 decimal.
werkzeug dev_2014122
what did add in following options werkzeug.serving.basewsgiserver.__init__
call wrap_socket()
.
use these; server_side=true, ca_certs= '/etc/apache2/ssl/ca.pem', cert_reqs=ssl.cert_required
- ca_certs: use verify against, ca cert used generate client certificates)
- ssl.cert_required: require client certificate verification against ca_certs
note: if client certificate not pass initial verification not able fetch client certificate. none.
then in flask test class patched verify_request
where
def verify_request(self, request, client_address): cert = request.getpeercert(true) raw = decoder.decode(cert)[0] print "serial number of certificate is: % " % str(raw[0][1]) # todo: checks & if serial no ok return true return true werkzeug.serving.basewsgiserver.verify_request = verify_request
this proved possible you'll want investigate request handlers of httpserver class basewsgiserver inherits find better way call or override.
werkzeug 0.9.x
if using werkzeug 0.9.x i'm assuming using import from openssl import ssl
. see code snippet here. have not tested this.
some of calls may interested in version be; - context.set_verify(mode, callback)
- connection.get_peer_certificate()
clarification
what not understand reference sending csr during first handshake. if process of client certificate generation may want rethink how in context of system , environment. if have more information comment further..
also, 'handshake' in ssl/tls context refers action of creating secure connection in first place using existing certificate. after handshaking, loosely speaking, connection established.
Comments
Post a Comment