How to create HTTPS client with double authentication in Python without (L) GPL libs?

The client and server are internal, each of them has a certificate signed by the internal CA and the CA certificate. I need a client to authenticate a server certificate to its CA certificate. He must also send his certificate to the server for authentication.

The urllib2 manual states that server authentication is not performed. PycURL is a natural alternative, but its license has not yet been approved. I would also prefer not to compile the library from the source code, but to use RPM instead.

I looked through a lot of libraries like requests, httplib2 and can't see what I need. There is also an ssl module, but I don’t feel that I am implementing http myself if I don’t really have to.

Python 2.6 on RHEL 5.7

+6
source share
3 answers

well, the winner is (almost) httplib2 v0.7. Starting with this version, it supports SSL certificate authentication. Here is a sample code

import httplib2 client = httplib2.Http(ca_certs='ca.crt') client.add_certificate(key='client_private_key.pem', cert='cert_client.pem', domain='') headers, resp = client.request(query) 

Pay attention to the parameter domain='' , otherwise it does not work for me.

PS. Unfortunately, this simple solution does not work for me, since I forgot to mention an additional requirement - with installing RPM for RHEL 5.7 and Python 2.6.

+6
source

Twisted Python is a library that can do what you need, although I'm not sure if the MIT license matches what you want. The GPL is a fairly specific license, and I hope you didn’t mean "all open source licenses."

See SSL examples at http://twistedmatrix.com/documents/current/core/howto/ssl.html . The last couple of examples on this page are especially relevant based on your description. Twisted uses PyOpenSSL ( docs ), which is licensed under the Apache license. You can also use PyOpenSSL.

+3
source

Update: if requests did not previously support certificates on the client side, it supports it now if the local private private key (if any) is not encrypted:

 >>> requests.get('https://FOO.BAR.BAZ/', cert=('/path/client.cert', '/path/client.key')) <Response [200]> 
+2
source

Source: https://habr.com/ru/post/907376/


All Articles