It has been almost two years since I wrote about the state of SSL in Python 2.6. If you haven’t read that yet, I suggest you read that first and then continue here, since I will mostly just be talking about things that have changed since then, or things that I have discovered since then.
The good news is that things have improved in the stdlib ssl module. The bad news is that it is still missing some critical pieces to make SSL secure.
Python 2.7 enables you to specify ciphers to use explicitly, rather than just relying on what comes default with the SSL version selection. Additionally, if you compile the
ssl module with OpenSSL 1.0 and later, using
ssl.PROTOCOL_SSLv23 is safe (as in, it will not pick the insecure SSLv2 protocol) as long as you don’t enable SSLv2 specific ciphers (see the ssl module documentation for details).
With that out of the way, there isn’t really much difference to how you would write a simple SSL server with Python 2.7 compared to what I wrote in 2008. If you know your
ssl module was compiled with OpenSSL 1.0 you can pick
ssl.PROTOCOL_SSLv23 for maximum compatibility. Otherwise you should stick with an explicit version other than v2.
The documentation for the ssl module in 2.7 has improved a lot, and includes good sample code for servers here.
The M2Crypto code hasn’t changed. The next M2Crypto release will add support for 0penSSL 1.0.
Checking the peer certificate’s hostname is still the weak point of the
ssl module. The SSL version selection situation has improved slightly like I explained above. Othewise follow the example I wrote in 2008.
Again, the M2Crypto API hasn’t changed.
import pycurl c = pycurl.Curl() c.setopt(pycurl.URL, 'https://www.google.com') c.setopt(pycurl.HTTPGET, 1) c.setopt(pycurl.SSL_VERIFYPEER, 1) c.setopt(pycurl.CAINFO, 'ca.pem') c.setopt(pycurl.SSL_VERIFYHOST, 2) try: c.perform() finally: c.close()
I am not a big fan of pycurl due to difficulties getting it compiled and the non-Pythonic API. But it is based on the very powerful curl library, so it comes full featured out of the box.
The future is also looking bright for the
ssl module. Already the upcoming Python 3.2 ssl module will include support for
SSLContexts so that you can set options for multiple SSL connections at once, allows you to selectively disable SSL versions, and it allows you to check the OpenSSL version as well.
- None Found