1

I'm stuck with this for several days and could not figure it out still. I just want to build a simple TLS c/s communication in python. For server I use EC2, client I use my own laptop. I setup and test normal socket communication and everything works fine.

When I try this tutorial from the official doc, I run into problem. For the following client code:

# require a certificate from the server
ssl_sock = ssl.wrap_socket(s,
                           ca_certs="/etc/ca_certs_file",
                           cert_reqs=ssl.CERT_REQUIRED)

As far as I know the part /etc/ca_certs_file should be some certificates from CAs. I am confused where should I look for them. I actually find some .pem files in /etc/ssl/certs on EC2 server but nothing on the client, my laptop.

I also tried to generate a user certificate according to this tutorial on openssl, I followed the steps, generating cakey.pem, cacert.pem for the server, userkey.pem, usercert-req.pem for the client, all in a same directory in my EC2 server. When I execute openssl ca -in usercert-req.pem -out usercert.pem, it outputs error:

Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
unable to load certificate
140420412405408:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE

So actually how should this cert file get generated? Generate at server side, then wait for client to request them over the air, or generate at client side, or obtain from 3rd party and directly use on client side?

Could anyone give any guidance? Any help is appreciated.

Yulong
  • 1,529
  • 1
  • 17
  • 26

1 Answers1

2

This will create a self signed certificate pair, the private key will be in the same file:

openssl req -new -x509 -days 365 -nodes -out cert.pem -keyout cert.pem

And then from python on the server side:

new_client_socket, address = server_socket.accept()
secured_client_socket = ssl.wrap_socket(new_client_socket,
                                        server_side=True,
                                        certfile='cert.pem',
                                        keyfile='cert.pem',
                                        ssl_version=ssl.PROTOCOL_TLSv1)

And the client application:

unsecured_client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
client_socket = ssl.wrap_socket(unsecured_client_socket,
                                ca_certs='cert.pem',
                                cert_reqs=ssl.CERT_REQUIRED,
                                ssl_version=ssl.PROTOCOL_TLSv1)
andrean
  • 6,717
  • 2
  • 36
  • 43
  • thanks for reply. So by the command, are we generating two .pem files with the same name so that all information are saved in one file? – Yulong Sep 07 '12 at 14:42
  • Yes two keys will be placed in the same file, wherever you generate that file, just copy it to the other side as well, so both the client and the server will use that same file. Btw if you specify two different file names, the keys will be of course placed in two different files. – andrean Sep 07 '12 at 17:26
  • 1
    Note that this is insecure, as the keyfile is meant to be only visible to the server. – Flimm Apr 11 '13 at 15:50