Index: third_party/tlslite/readme.txt |
diff --git a/third_party/tlslite/readme.txt b/third_party/tlslite/readme.txt |
deleted file mode 100644 |
index c1f1b3840c7eff91e1b40049633e4945c57ad660..0000000000000000000000000000000000000000 |
--- a/third_party/tlslite/readme.txt |
+++ /dev/null |
@@ -1,815 +0,0 @@ |
- |
-tlslite version 0.3.8 February 21, 2005 |
-Trevor Perrin <trevp at trevp.net> |
-http://trevp.net/tlslite/ |
-============================================================================ |
- |
- |
-Table of Contents |
-================== |
-1 Introduction |
-2 License/Acknowledgements |
-3 Installation |
-4 Getting Started with the Command-Line Tools |
-5 Getting Started with the Library |
-6 Using TLS Lite with httplib |
-7 Using TLS Lite with xmlrpclib |
-8 Using TLS Lite with poplib or imaplib |
-9 Using TLS Lite with smtplib |
-10 Using TLS Lite with SocketServer |
-11 Using TLS Lite with asyncore |
-12 Using TLS Lite with Twisted |
-13 SECURITY CONSIDERATIONS |
-14 History |
-15 References |
- |
- |
-1 Introduction |
-=============== |
-TLS Lite is a free python library that implements SSL v3, TLS v1, and |
-TLS v1.1 [0]. TLS Lite supports non-traditional authentication methods |
-such as SRP [1], shared keys [2], and cryptoIDs [3], in addition to X.509 |
-certificates. TLS Lite is pure python, however it can access OpenSSL [4], |
-cryptlib [5], pycrypto [9], and GMPY [10] for faster crypto operations. TLS |
-Lite integrates with httplib, xmlrpclib, poplib, imaplib, smtplib, |
-SocketServer, asyncore, and Twisted. |
- |
-API documentation is available in the 'docs' directory. |
- |
-If you have questions or feedback, feel free to contact me. |
- |
- |
-2 Licenses/Acknowledgements |
-============================ |
-All code here is public domain. |
- |
-Thanks to Bram Cohen for his public domain Rijndael implementation. |
- |
-Thanks to Edward Loper for Epydoc, which generated the API docs. |
- |
- |
-3 Installation |
-=============== |
-Requirements: |
- Python 2.2 or greater is required. |
- |
-Options: |
- - If you have cryptoIDlib [8], you can use cryptoID certificate chains for |
- authentication. CryptoIDlib is the sister library to TLS Lite; it was |
- written by the same author, and has a similar interface. |
- |
- - If you have the M2Crypto [6] interface to OpenSSL, this will be used for |
- fast RSA operations and fast ciphers. |
- |
- - If you have the cryptlib_py [7] interface to cryptlib, this will be used |
- for random number generation and fast ciphers. If TLS Lite can't find an |
- OS-level random-number generator (i.e. /dev/urandom on UNIX or CryptoAPI on |
- Windows), then you must MUST install cryptlib. |
- |
- - If you have pycrypto [9], this will be used for fast ciphers and fast RSA |
- operations. |
- |
- - If you have the GMPY [10] interface to GMP, this will be used for fast RSA |
- and SRP operations. |
- |
- - These modules don't need to be present at installation - you can install |
- them any time. |
- |
-On Windows: |
- Run the installer in the 'installers' directory. |
- *OR* |
- Run 'setup.py install' (this only works if your system has a compiler |
- available). |
- |
-Anywhere else: |
- - Run 'python setup.py install' |
- |
-Test the Installation: |
- - The 'tls.py' script should have been copied onto your path. If not, |
- you may have to copy it there manually. |
- - From the distribution's ./test subdirectory, run: |
- tls.py servertest localhost:4443 . |
- - While the test server is waiting, run: |
- tls.py clienttest localhost:4443 . |
- |
- If both say "Test succeeded" at the end, you're ready to go. |
- |
- (WARNING: Be careful running these (or any) scripts from the distribution's |
- root directory. Depending on your path, the scripts may load the local copy |
- of the library instead of the installed version, with unpredictable |
- results). |
- |
- |
-4 Getting Started with the Command-Line Tools |
-============================================== |
-tlslite comes with two command-line scripts: 'tlsdb.py' and 'tls.py'. They |
-can be run with no arguments to see a list of commands. |
- |
-'tlsdb.py' lets you manage shared key or verifier databases. These databases |
-store usernames associated with either shared keys, or SRP password verifiers. |
-These databases are used by a TLS server when authenticating clients with |
-shared keys or SRP. |
- |
-'tls.py' lets you run test clients and servers. It can be used for testing |
-other TLS implementations, or as example code for using tlslite. To run an |
-SRP server, try something like: |
- |
- tlsdb.py createsrp verifierDB |
- tlsdb.py add verifierDB alice abra123cadabra 1024 |
- tlsdb.py add verifierDB bob swordfish 2048 |
- |
- tls.py serversrp localhost:443 verifierDB |
- |
-Then you can try connecting to the server with: |
- |
- tls.py clientsrp localhost:443 alice abra123cadabra |
- |
- |
-5 Getting Started with the Library |
-=================================== |
-Using the library is simple. Whether you're writing a client or server, there |
-are six steps: |
-1) Create a socket and connect it to the other party. |
-2) Construct a TLSConnection instance with the socket. |
-3) Call a handshake function on TLSConnection to perform the TLS handshake. |
-4) Check the results to make sure you're talking to the right party. |
-5) Use the TLSConnection to exchange data. |
-6) Call close() on the TLSConnection when you're done. |
- |
-TLS Lite also integrates with httplib, xmlrpclib, poplib, imaplib, smtplib, |
-SocketServer, asyncore, and Twisted. When used with these, some of the steps |
-are performed for you. See the sections following this one for details. |
- |
-5 Step 1 - create a socket |
---------------------------- |
-Below demonstrates a socket connection to Amazon's secure site. It's a good |
-idea to set the timeout value, so if the other side fails to respond you won't |
-end up waiting forever. |
- |
- from socket import * |
- sock = socket(AF_INET, SOCK_STREAM) |
- sock.connect( ("www.amazon.com", 443) ) |
- sock.settimeout(10) #Only on python 2.3 or greater |
- |
-5 Step 2 - construct a TLSConnection |
-------------------------------------- |
- from tlslite.api import * |
- connection = TLSConnection(sock) |
- |
-5 Step 3 - call a handshake function (client) |
----------------------------------------------- |
-If you're a client, there's several different handshake functions you can |
-call, depending on how you want to authenticate: |
- |
- connection.handshakeClientCert() |
- connection.handshakeClientCert(certChain, privateKey) |
- connection.handshakeClientSRP("alice", "abra123cadabra") |
- connection.handshakeClientSharedKey("alice", "PaVBVZkYqAjCQCu6UBL2xgsnZhw") |
- connection.handshakeClientUnknown(srpCallback, certCallback) |
- |
-The ClientCert function without arguments is used when connecting to a site |
-like Amazon, which doesn't require client authentication. The server will |
-authenticate with a certificate chain. |
- |
-The ClientCert function can also be used to do client authentication with an |
-X.509 or cryptoID certificate chain. To use cryptoID chains, you'll need the |
-cryptoIDlib library [8]. To use X.509 chains, you'll need some way of |
-creating these, such as OpenSSL (see http://www.openssl.org/docs/HOWTO/ for |
-details). |
- |
-Below are examples of loading cryptoID and X.509 certificate chains: |
- |
- #Load cryptoID certChain and privateKey. Requires cryptoIDlib. |
- from cryptoIDlib.CertChain import CertChain |
- s = open("./test/clientCryptoIDChain.xml").read() |
- certChain = CertChain() |
- certChain.parse(s) |
- s = open("./test/clientCryptoIDKey.xml").read() |
- privateKey = parseXMLKey(s, private=True) |
- |
- #Load X.509 certChain and privateKey. |
- s = open("./test/clientX509Cert.pem").read() |
- x509 = X509() |
- x509.parse(s) |
- certChain = X509CertChain([x509]) |
- s = open("./test/clientX509Key.pem").read() |
- privateKey = parsePEMKey(s, private=True) |
- |
-The SRP and SharedKey functions both do mutual authentication with a username |
-and password. The difference is this: SRP is slow but safer when using low- |
-entropy passwords, since the SRP protocol is not vulnerable to offline |
-dictionary attacks. Using shared keys is faster, but it's only safe when |
-used with high-entropy secrets. In general, you should prefer SRP for human- |
-memorable passwords, and use shared keys only when your performance needs |
-outweigh the inconvenience of handling large random strings. |
- |
-[WARNING: shared keys and SRP are internet-drafts; these protocols may change, |
-which means future versions of tlslite may not be compatible with this one. |
-This is less likely with SRP, more likely with shared-keys.] |
- |
-The Unknown function is used when you're not sure if the server requires |
-client authentication. If the server requests SRP or certificate-based |
-authentication, the appropriate callback will be triggered, and you should |
-return a tuple containing either a (username, password) or (certChain, |
-privateKey), as appropriate. Alternatively, you can return None, which will |
-cancel the handshake from an SRP callback, or cause it to continue without |
-client authentication (if the server is willing) from a certificate callback. |
- |
-If you want more control over the handshake, you can pass in a |
-HandshakeSettings instance. For example, if you're performing SRP, but you |
-only want to use SRP parameters of at least 2048 bits, and you only want to use |
-the AES-256 cipher, and you only want to allow TLS (version 3.1), not SSL |
-(version 3.0), you can do: |
- |
- settings = HandshakeSettings() |
- settings.minKeySize = 2048 |
- settings.cipherNames = ["aes256"] |
- settings.minVersion = (3,1) |
- connection.handshakeClientSRP("alice", "abra123cadabra", settings=settings) |
- |
-Finally, every TLSConnection has a session object. You can try to resume a |
-previous session by passing in the session object from the old session. If |
-the server remembers this old session and supports resumption, the handshake |
-will finish more quickly. Otherwise, the full handshake will be done. For |
-example: |
- |
- connection.handshakeClientSRP("alice", "abra123cadabra") |
- . |
- . |
- oldSession = connection.session |
- connection2.handshakeClientSRP("alice", "abra123cadabra", session= |
- oldSession) |
- |
-5 Step 3 - call a handshake function (server) |
----------------------------------------------- |
-If you're a server, there's only one handshake function, but you can pass it |
-several different parameters, depending on which types of authentication |
-you're willing to perform. |
- |
-To perform SRP authentication, you have to pass in a database of password |
-verifiers. The VerifierDB class manages an in-memory or on-disk verifier |
-database. |
- |
- #On-disk database (use no-arg constructor if you want an in-memory DB) |
- verifierDB = VerifierDB("./test/verifierDB") |
- |
- #Open the pre-existing database (can also 'create()' a new one) |
- verifierDB.open() |
- |
- #Add to the database |
- verifier = VerifierDB.makeVerifier("alice", "abra123cadabra", 2048) |
- verifierDB["alice"] = verifier |
- |
- #Perform a handshake using the database |
- connection.handshakeServer(verifierDB=verifierDB) |
- |
-To perform shared key authentication, you have to pass in a database of shared |
-keys. The SharedKeyDB class manages an in-memory or on-disk shared key |
-database. |
- |
- sharedKeyDB = SharedKeyDB("./test/sharedkeyDB") |
- sharedKeyDB.open() |
- sharedKeyDB["alice"] = "PaVBVZkYqAjCQCu6UBL2xgsnZhw" |
- connection.handshakeServer(sharedKeyDB=sharedKeyDB) |
- |
-To perform authentication with a certificate and private key, the server must |
-load these as described in the previous section, then pass them in. If the |
-server sets the reqCert boolean to True, a certificate chain will be requested |
-from the client. |
- |
- connection.handshakeServer(certChain=certChain, privateKey=privateKey, |
- reqCert=True) |
- |
-You can pass in any combination of a verifier database, a shared key database, |
-and a certificate chain/private key. The client will use one of them to |
-authenticate. In the case of SRP and a certificate chain/private key, they |
-both may be used. |
- |
-You can also pass in a HandshakeSettings object, as described in the last |
-section, for finer control over handshaking details. Finally, the server can |
-maintain a SessionCache, which will allow clients to use session resumption: |
- |
- sessionCache = SessionCache() |
- connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache) |
- |
-It should be noted that the session cache, and the verifier and shared key |
-databases, are all thread-safe. |
- |
-5 Step 4 - check the results |
------------------------------ |
-If the handshake completes without raising an exception, authentication |
-results will be stored in the connection's session object. The following |
-variables will be populated if applicable, or else set to None: |
- |
- connection.session.srpUsername #string |
- connection.session.sharedKeyUsername #string |
- connection.session.clientCertChain #X509CertChain or |
- #cryptoIDlib.CertChain.CertChain |
- connection.session.serverCertChain #X509CertChain or |
- #cryptoIDlib.CertChain.CertChain |
- |
-Both types of certificate chain object support the getFingerprint() function, |
-but with a difference. X.509 objects return the end-entity fingerprint, and |
-ignore the other certificates. CryptoID fingerprints (aka "cryptoIDs") are |
-based on the root cryptoID certificate, so you have to call validate() on the |
-CertChain to be sure you're really talking to the cryptoID. |
- |
-X.509 certificate chain objects may also be validated against a list of |
-trusted root certificates. See the API documentation for details. |
- |
-To save yourself the trouble of inspecting fingerprints after the handshake, |
-you can pass a Checker object into the handshake function. The checker will be |
-called if the handshake completes successfully. If the other party's |
-certificate chain isn't approved by the checker, a subclass of |
-TLSAuthenticationError will be raised. For example, to perform a handshake |
-with a server based on its X.509 fingerprint, do: |
- |
- try: |
- checker = Checker(\ |
- x509Fingerprint='e049ff930af76d43ff4c658b268786f4df1296f2') |
- connection.handshakeClientCert(checker=checker) |
- except TLSAuthenticationError: |
- print "Authentication failure" |
- |
-If the handshake fails for any reason, an exception will be raised. If the |
-socket timed out or was unexpectedly closed, a socket.error or |
-TLSAbruptCloseError will be raised. Otherwise, either a TLSLocalAlert or |
-TLSRemoteAlert will be raised, depending on whether the local or remote |
-implementation signalled the error. The exception object has a 'description' |
-member which identifies the error based on the codes in RFC 2246. A |
-TLSLocalAlert also has a 'message' string that may have more details. |
- |
-Example of handling a remote alert: |
- |
- try: |
- [...] |
- except TLSRemoteAlert, alert: |
- if alert.description == AlertDescription.unknown_srp_username: |
- print "Unknown user." |
- [...] |
- |
-Figuring out what went wrong based on the alert may require some |
-interpretation, particularly with remote alerts where you don't have an error |
-string, and where the remote implementation may not be signalling alerts |
-properly. Many alerts signal an implementation error, and so should rarely be |
-seen in normal operation (unexpected_message, decode_error, illegal_parameter, |
-internal_error, etc.). |
- |
-Others alerts are more likely to occur. Below are some common alerts and |
-their probable causes, and whether they are signalled by the client or server. |
- |
-Client bad_record_mac: |
- - bad shared key password |
- |
-Client handshake failure: |
- - SRP parameters are not recognized by client |
- |
-Client user_canceled: |
- - The client might have returned None from an SRP callback. |
- |
-Client insufficient_security: |
- - SRP parameters are too small |
- |
-Client protocol_version: |
- - Client doesn't support the server's protocol version |
- |
-Server protocol_version: |
- - Server doesn't support the client's protocol version |
- |
-Server bad_record_mac: |
- - bad SRP username or password |
- |
-Server unknown_srp_username |
- - bad SRP username (bad_record_mac could be used for the same thing) |
- |
-Server handshake_failure: |
- - bad shared key username |
- - no matching cipher suites |
- |
-5 Step 5 - exchange data |
-------------------------- |
-Now that you have a connection, you can call read() and write() as if it were |
-a socket.SSL object. You can also call send(), sendall(), recv(), and |
-makefile() as if it were a socket. These calls may raise TLSLocalAlert, |
-TLSRemoteAlert, socket.error, or TLSAbruptCloseError, just like the handshake |
-functions. |
- |
-Once the TLS connection is closed by the other side, calls to read() or recv() |
-will return an empty string. If the socket is closed by the other side |
-without first closing the TLS connection, calls to read() or recv() will return |
-a TLSAbruptCloseError, and calls to write() or send() will return a |
-socket.error. |
- |
-5 Step 6 - close the connection |
--------------------------------- |
-When you're finished sending data, you should call close() to close the |
-connection down. When the connection is closed properly, the socket stays |
-open and can be used for exchanging non-secure data, the session object can be |
-used for session resumption, and the connection object can be re-used by |
-calling another handshake function. |
- |
-If an exception is raised, the connection will be automatically closed; you |
-don't need to call close(). Furthermore, you will probably not be able to re- |
-use the socket, the connection object, or the session object, and you |
-shouldn't even try. |
- |
-By default, calling close() will leave the socket open. If you set the |
-connection's closeSocket flag to True, the connection will take ownership of |
-the socket, and close it when the connection is closed. |
- |
- |
-6 Using TLS Lite with httplib |
-============================== |
-TLS Lite comes with an HTTPTLSConnection class that extends httplib to work |
-over SSL/TLS connections. Depending on how you construct it, it will do |
-different types of authentication. |
- |
- #No authentication whatsoever |
- h = HTTPTLSConnection("www.amazon.com", 443) |
- h.request("GET", "") |
- r = h.getresponse() |
- [...] |
- |
- #Authenticate server based on its X.509 fingerprint |
- h = HTTPTLSConnection("www.amazon.com", 443, |
- x509Fingerprint="e049ff930af76d43ff4c658b268786f4df1296f2") |
- [...] |
- |
- #Authenticate server based on its X.509 chain (requires cryptlib_py [7]) |
- h = HTTPTLSConnection("www.amazon.com", 443, |
- x509TrustList=[verisignCert], |
- x509CommonName="www.amazon.com") |
- [...] |
- |
- #Authenticate server based on its cryptoID |
- h = HTTPTLSConnection("localhost", 443, |
- cryptoID="dmqb6.fq345.cxk6g.5fha3") |
- [...] |
- |
- #Mutually authenticate with SRP |
- h = HTTPTLSConnection("localhost", 443, |
- username="alice", password="abra123cadabra") |
- [...] |
- |
- #Mutually authenticate with a shared key |
- h = HTTPTLSConnection("localhost", 443, |
- username="alice", sharedKey="PaVBVZkYqAjCQCu6UBL2xgsnZhw") |
- [...] |
- |
- #Mutually authenticate with SRP, *AND* authenticate the server based |
- #on its cryptoID |
- h = HTTPTLSConnection("localhost", 443, |
- username="alice", password="abra123cadabra", |
- cryptoID="dmqb6.fq345.cxk6g.5fha3") |
- [...] |
- |
- |
-7 Using TLS Lite with xmlrpclib |
-================================ |
-TLS Lite comes with an XMLRPCTransport class that extends xmlrpclib to work |
-over SSL/TLS connections. This class accepts the same parameters as |
-HTTPTLSConnection (see previous section), and behaves similarly. Depending on |
-how you construct it, it will do different types of authentication. |
- |
- from tlslite.api import XMLRPCTransport |
- from xmlrpclib import ServerProxy |
- |
- #No authentication whatsoever |
- transport = XMLRPCTransport() |
- server = ServerProxy("https://localhost", transport) |
- server.someFunc(2, 3) |
- [...] |
- |
- #Authenticate server based on its X.509 fingerprint |
- transport = XMLRPCTransport(\ |
- x509Fingerprint="e049ff930af76d43ff4c658b268786f4df1296f2") |
- [...] |
- |
- |
-8 Using TLS Lite with poplib or imaplib |
-======================================== |
-TLS Lite comes with POP3_TLS and IMAP4_TLS classes that extend poplib and |
-imaplib to work over SSL/TLS connections. These classes can be constructed |
-with the same parameters as HTTPTLSConnection (see previous section), and |
-behave similarly. |
- |
- #To connect to a POP3 server over SSL and display its fingerprint: |
- from tlslite.api import * |
- p = POP3_TLS("---------.net") |
- print p.sock.session.serverCertChain.getFingerprint() |
- [...] |
- |
- #To connect to an IMAP server once you know its fingerprint: |
- from tlslite.api import * |
- i = IMAP4_TLS("cyrus.andrew.cmu.edu", |
- x509Fingerprint="00c14371227b3b677ddb9c4901e6f2aee18d3e45") |
- [...] |
- |
- |
-9 Using TLS Lite with smtplib |
-============================== |
-TLS Lite comes with an SMTP_TLS class that extends smtplib to work |
-over SSL/TLS connections. This class accepts the same parameters as |
-HTTPTLSConnection (see previous section), and behaves similarly. Depending |
-on how you call starttls(), it will do different types of authentication. |
- |
- #To connect to an SMTP server once you know its fingerprint: |
- from tlslite.api import * |
- s = SMTP_TLS("----------.net") |
- s.starttls(x509Fingerprint="7e39be84a2e3a7ad071752e3001d931bf82c32dc") |
- [...] |
- |
- |
-10 Using TLS Lite with SocketServer |
-==================================== |
-You can use TLS Lite to implement servers using Python's SocketServer |
-framework. TLS Lite comes with a TLSSocketServerMixIn class. You can combine |
-this with a TCPServer such as HTTPServer. To combine them, define a new class |
-that inherits from both of them (with the mix-in first). Then implement the |
-handshake() method, doing some sort of server handshake on the connection |
-argument. If the handshake method returns True, the RequestHandler will be |
-triggered. Below is a complete example of a threaded HTTPS server. |
- |
- from SocketServer import * |
- from BaseHTTPServer import * |
- from SimpleHTTPServer import * |
- from tlslite.api import * |
- |
- s = open("./serverX509Cert.pem").read() |
- x509 = X509() |
- x509.parse(s) |
- certChain = X509CertChain([x509]) |
- |
- s = open("./serverX509Key.pem").read() |
- privateKey = parsePEMKey(s, private=True) |
- |
- sessionCache = SessionCache() |
- |
- class MyHTTPServer(ThreadingMixIn, TLSSocketServerMixIn, HTTPServer): |
- def handshake(self, tlsConnection): |
- try: |
- tlsConnection.handshakeServer(certChain=certChain, |
- privateKey=privateKey, |
- sessionCache=sessionCache) |
- tlsConnection.ignoreAbruptClose = True |
- return True |
- except TLSError, error: |
- print "Handshake failure:", str(error) |
- return False |
- |
- httpd = MyHTTPServer(('localhost', 443), SimpleHTTPRequestHandler) |
- httpd.serve_forever() |
- |
- |
-11 Using TLS Lite with asyncore |
-================================ |
-TLS Lite can be used with subclasses of asyncore.dispatcher. See the comments |
-in TLSAsyncDispatcherMixIn.py for details. This is still experimental, and |
-may not work with all asyncore.dispatcher subclasses. |
- |
-Below is an example of combining Medusa's http_channel with |
-TLSAsyncDispatcherMixIn: |
- |
- class http_tls_channel(TLSAsyncDispatcherMixIn, |
- http_server.http_channel): |
- ac_in_buffer_size = 16384 |
- |
- def __init__ (self, server, conn, addr): |
- http_server.http_channel.__init__(self, server, conn, addr) |
- TLSAsyncDispatcherMixIn.__init__(self, conn) |
- self.tlsConnection.ignoreAbruptClose = True |
- self.setServerHandshakeOp(certChain=certChain, |
- privateKey=privateKey) |
- |
- |
-12 Using TLS Lite with Twisted |
-=============================== |
-TLS Lite can be used with Twisted protocols. Below is a complete example of |
-using TLS Lite with a Twisted echo server. |
- |
-There are two server implementations below. Echo is the original protocol, |
-which is oblivious to TLS. Echo1 subclasses Echo and negotiates TLS when the |
-client connects. Echo2 subclasses Echo and negotiates TLS when the client |
-sends "STARTTLS". |
- |
- from twisted.internet.protocol import Protocol, Factory |
- from twisted.internet import reactor |
- from twisted.protocols.policies import WrappingFactory |
- from twisted.protocols.basic import LineReceiver |
- from twisted.python import log |
- from twisted.python.failure import Failure |
- import sys |
- from tlslite.api import * |
- |
- s = open("./serverX509Cert.pem").read() |
- x509 = X509() |
- x509.parse(s) |
- certChain = X509CertChain([x509]) |
- |
- s = open("./serverX509Key.pem").read() |
- privateKey = parsePEMKey(s, private=True) |
- |
- verifierDB = VerifierDB("verifierDB") |
- verifierDB.open() |
- |
- class Echo(LineReceiver): |
- def connectionMade(self): |
- self.transport.write("Welcome to the echo server!\r\n") |
- |
- def lineReceived(self, line): |
- self.transport.write(line + "\r\n") |
- |
- class Echo1(Echo): |
- def connectionMade(self): |
- if not self.transport.tlsStarted: |
- self.transport.setServerHandshakeOp(certChain=certChain, |
- privateKey=privateKey, |
- verifierDB=verifierDB) |
- else: |
- Echo.connectionMade(self) |
- |
- def connectionLost(self, reason): |
- pass #Handle any TLS exceptions here |
- |
- class Echo2(Echo): |
- def lineReceived(self, data): |
- if data == "STARTTLS": |
- self.transport.setServerHandshakeOp(certChain=certChain, |
- privateKey=privateKey, |
- verifierDB=verifierDB) |
- else: |
- Echo.lineReceived(self, data) |
- |
- def connectionLost(self, reason): |
- pass #Handle any TLS exceptions here |
- |
- factory = Factory() |
- factory.protocol = Echo1 |
- #factory.protocol = Echo2 |
- |
- wrappingFactory = WrappingFactory(factory) |
- wrappingFactory.protocol = TLSTwistedProtocolWrapper |
- |
- log.startLogging(sys.stdout) |
- reactor.listenTCP(1079, wrappingFactory) |
- reactor.run() |
- |
- |
-13 Security Considerations |
-=========================== |
-TLS Lite is beta-quality code. It hasn't received much security analysis. |
-Use at your own risk. |
- |
- |
-14 History |
-=========== |
-0.3.8 - 2/21/2005 |
- - Added support for poplib, imaplib, and smtplib |
- - Added python 2.4 windows installer |
- - Fixed occassional timing problems with test suite |
-0.3.7 - 10/05/2004 |
- - Added support for Python 2.2 |
- - Cleaned up compatibility code, and docs, a bit |
-0.3.6 - 9/28/2004 |
- - Fixed script installation on UNIX |
- - Give better error message on old Python versions |
-0.3.5 - 9/16/2004 |
- - TLS 1.1 support |
- - os.urandom() support |
- - Fixed win32prng on some systems |
-0.3.4 - 9/12/2004 |
- - Updated for TLS/SRP draft 8 |
- - Bugfix: was setting _versioncheck on SRP 1st hello, causing problems |
- with GnuTLS (which was offering TLS 1.1) |
- - Removed _versioncheck checking, since it could cause interop problems |
- - Minor bugfix: when cryptlib_py and and cryptoIDlib present, cryptlib |
- was complaining about being initialized twice |
-0.3.3 - 6/10/2004 |
- - Updated for TLS/SRP draft 7 |
- - Updated test cryptoID cert chains for cryptoIDlib 0.3.1 |
-0.3.2 - 5/21/2004 |
- - fixed bug when handling multiple handshake messages per record (e.g. IIS) |
-0.3.1 - 4/21/2004 |
- - added xmlrpclib integration |
- - fixed hanging bug in Twisted integration |
- - fixed win32prng to work on a wider range of win32 sytems |
- - fixed import problem with cryptoIDlib |
- - fixed port allocation problem when test scripts are run on some UNIXes |
- - made tolerant of buggy IE sending wrong version in premaster secret |
-0.3.0 - 3/20/2004 |
- - added API docs thanks to epydoc |
- - added X.509 path validation via cryptlib |
- - much cleaning/tweaking/re-factoring/minor fixes |
-0.2.7 - 3/12/2004 |
- - changed Twisted error handling to use connectionLost() |
- - added ignoreAbruptClose |
-0.2.6 - 3/11/2004 |
- - added Twisted errorHandler |
- - added TLSAbruptCloseError |
- - added 'integration' subdirectory |
-0.2.5 - 3/10/2004 |
- - improved asynchronous support a bit |
- - added first-draft of Twisted support |
-0.2.4 - 3/5/2004 |
- - cleaned up asyncore support |
- - added proof-of-concept for Twisted |
-0.2.3 - 3/4/2004 |
- - added pycrypto RSA support |
- - added asyncore support |
-0.2.2 - 3/1/2004 |
- - added GMPY support |
- - added pycrypto support |
- - added support for PEM-encoded private keys, in pure python |
-0.2.1 - 2/23/2004 |
- - improved PRNG use (cryptlib, or /dev/random, or CryptoAPI) |
- - added RSA blinding, to avoid timing attacks |
- - don't install local copy of M2Crypto, too problematic |
-0.2.0 - 2/19/2004 |
- - changed VerifierDB to take per-user parameters |
- - renamed tls_lite -> tlslite |
-0.1.9 - 2/16/2004 |
- - added post-handshake 'Checker' |
- - made compatible with Python 2.2 |
- - made more forgiving of abrupt closure, since everyone does it: |
- if the socket is closed while sending/recv'ing close_notify, |
- just ignore it. |
-0.1.8 - 2/12/2004 |
- - TLSConnections now emulate sockets, including makefile() |
- - HTTPTLSConnection and TLSMixIn simplified as a result |
-0.1.7 - 2/11/2004 |
- - fixed httplib.HTTPTLSConnection with multiple requests |
- - fixed SocketServer to handle close_notify |
- - changed handshakeClientNoAuth() to ignore CertificateRequests |
- - changed handshakeClient() to ignore non-resumable session arguments |
-0.1.6 - 2/10/2004 |
- - fixed httplib support |
-0.1.5 - 2/09/2004 |
- - added support for httplib and SocketServer |
- - added support for SSLv3 |
- - added support for 3DES |
- - cleaned up read()/write() behavior |
- - improved HMAC speed |
-0.1.4 - 2/06/2004 |
- - fixed dumb bug in tls.py |
-0.1.3 - 2/05/2004 |
- - change read() to only return requested number of bytes |
- - added support for shared-key and in-memory databases |
- - added support for PEM-encoded X.509 certificates |
- - added support for SSLv2 ClientHello |
- - fixed shutdown/re-handshaking behavior |
- - cleaned up handling of missing_srp_username |
- - renamed readString()/writeString() -> read()/write() |
- - added documentation |
-0.1.2 - 2/04/2004 |
- - added clienttest/servertest functions |
- - improved OpenSSL cipher wrappers speed |
- - fixed server when it has a key, but client selects plain SRP |
- - fixed server to postpone errors until it has read client's messages |
- - fixed ServerHello to only include extension data if necessary |
-0.1.1 - 2/02/2004 |
- - fixed close_notify behavior |
- - fixed handling of empty application data packets |
- - fixed socket reads to not consume extra bytes |
- - added testing functions to tls.py |
-0.1.0 - 2/01/2004 |
- - first release |
- |
- |
-15 References |
-============== |
-[0] http://www.ietf.org/html.charters/tls-charter.html |
-[1] http://www.trevp.net/tls_srp/draft-ietf-tls-srp-07.html |
-[2] http://www.ietf.org/internet-drafts/draft-ietf-tls-sharedkeys-02.txt |
-[3] http://www.trevp.net/cryptoID/ |
-[4] http://www.openssl.org/ |
-[5] http://www.cs.auckland.ac.nz/~pgut001/cryptlib/ |
-[6] http://sandbox.rulemaker.net/ngps/m2/ |
-[7] http://trevp.net/cryptlibConverter/ |
-[8] http://www.trevp.net/cryptoID/ |
-[9] http://www.amk.ca/python/code/crypto.html |
-[10] http://gmpy.sourceforge.net/ |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |
- |