Re: Python and SSL

---

• From: "Martin v. Löwis" <martin@xxxxxxxxxxx>
• Date: Mon, 16 Apr 2007 23:38:40 +0200

---

- I noticed that socket module provides an SSL class (socket.ssl) but
even if documentation reports that it does not do any certificate
verification a lot of stdlib modules (imaplib, poplib, smtplib,
httplib and urllib2) provides SSL extension classes wherein socket.ssl
is used. What does it mean?

It means that these modules can do encrypted communication for their
respective protocol. They cannot validate that they are really talking
to the server they think they talk to (so they are prone to a
man-in-the-middle attack), however, as communication is encrypted, they
are protected against wire-tapping. Also, some servers require
encrypted connections (e.g. when passwords are transmitted), so they
can use SSL for that.

- On top of that why such extension classes [examples: 1, 2, 3]
accepts key-files and cert-files as optional argouments if no
certificate verification occurs?
[1] poplib.POP3_SSL( host[, port[, keyfile[, certfile]]])
[2] imaplib.IMAP4_SSL( [host[, port[, keyfile[, certfile]]]])
[3] smtplib.starttls( [keyfile[, certfile]])

These are client certificates. Some servers require that clients
authenticate through client certificates. This effectively avoids
man-in-the-middle attacks, as the server will validate the client's
certificate.

- By searching through the web I found some daemons supporting SSL
such as this one:
http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/442473
By looking at the code I notice that pyopenssl package is used and
that a certificate file is required. Why do I need to use pyopenssl
and how do I generate the cert file?

You can generate certificate files using the openssl command line
tool; see the openssl documentation for details.

Martin
.

---

• Follow-Ups:
  • Re: Python and SSL
    • From: Paul Rubin

• References:
  • Python and SSL
    • From: billiejoex

• Prev by Date: Re: Compare regular expressions
• Next by Date: Re: C++ extension problem
• Previous by thread: Re: Python and SSL
• Next by thread: Re: Python and SSL
• Index(es):
  • Date
  • Thread

---

Relevant Pages RPC over HTTP, Microsoft solution ... Exchange Server 2003 RPC over HTTP Deployment Scenarios ... Place a check in the box next to 'Certificate Services' and click 'Yes' ... (microsoft.public.exchange.setup) Re: OWA 2003 w/ Smart Card Authentication. ... Exchange 2003 server via ActivSync. ... the IIS certificate. ... Whether or not authentication will succeed is completely dictated by ... Server's SSL certificate must be configured on root of v-server via ... (microsoft.public.exchange.connectivity) Re: Configuring SBS2003 for OWA and RWW ... And make sure certificate will not be ... On the Connection Type page, click Broadband, and then click Next. ... next to Preferred DNS server and next to ... If you are using ISA, please go to ISA management console, and navigate ... (microsoft.public.windows.server.sbs) Re: Configuring LDAP on Entourage 2004 OS X ... Microsoft CSS Online Newsgroup Support ... does not work with a self signed SSL certificate OR with the SSL ... configure the System to allow OMA and "Server ActiveSync" access from the ... Configuring Exchange Server 2003 for Client Access. ... (microsoft.public.windows.server.sbs)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)