HTTPS Python client

Question

I have a tornado server that provide an https connection with a self signed certificate that I generated this way:

openssl genrsa -out privatekey.pem 1024                                         
openssl req -new -key privatekey.pem -out certrequest.csr 
openssl x509 -req -in certrequest.csr -signkey privatekey.pem -out certificate.pem

The code of the server is the following:

import tornado.ioloop
import tornado.web
import tornado.httpserver
import os

class MainHandler(tornado.web.RequestHandler):
    def get(self):
        print "new client "+str(self)
        self.write("Hello, world")

application = tornado.web.Application([
    (r"/", MainHandler),
])


http_server = tornado.httpserver.HTTPServer(application,
                                            ssl_options={
        "certfile": os.path.join("./", "certificate.pem"),
        "keyfile": os.path.join("./", "privatekey.pem"),

})

if __name__ == "__main__":
    http_server.listen(443)
    tornado.ioloop.IOLoop.instance().start()

I want to have a python client that connect to the server and check that the server is the right server (I guess through its certificate). For the moment I did a simple client like this:

import httplib
HOSTNAME='localhost'
conn = httplib.HTTPSConnection(HOSTNAME)
conn.putrequest('GET','/')
conn.endheaders()
response = conn.getresponse()
print response.read()

What would you suggest me to do (The client will later on be a mobile app I only use python for prototyping)?

Thanks.

related http://www.heikkitoivonen.net/blog/2010/08/23/ssl-in-python-2-7/ — jfs, Nov 08 '11 at 03:48
related: http://stackoverflow.com/questions/1087227/validate-ssl-certificates-with-python — jfs, Nov 08 '11 at 03:51
@J.F.Sebastian I have seen this answer already but I can't figure out how to adapt it to my case — lc2817, Nov 08 '11 at 03:53
@J.F.Sebastian the last link is interesting, though how can I get the certificate info in the client (I tried using dir on every object available to get these)? — lc2817, Nov 08 '11 at 03:57

score 3 · Accepted Answer · answered Nov 08 '11 at 04:53

3

If you control the client side too (like in an android or iphone app) you can add your self-signed certificate to your trusted certificate store.

It is well explained here for an Android app

answered Nov 08 '11 at 04:53

MatLecu

953
8
14

Thanks, could you give me more information on how to do it on an IPhone app? – lc2817 Nov 08 '11 at 04:54

score 1 · Answer 2 · answered Nov 08 '11 at 04:09

1

There is no way for the client to make sure that the server tells the truth. You can create a self-signed certificate for google.com.

answered Nov 08 '11 at 04:09

jfs

399,953
195
994
1,670

Let say I could register my certificate on a certificate authority what should I do then? – lc2817 Nov 08 '11 at 04:10
@lc2817: then you could use [one of the answers](http://stackoverflow.com/questions/1087227/validate-ssl-certificates-with-python) I've linked earlier. – jfs Nov 08 '11 at 04:41
You didn't answer to my last comment on the other links. – lc2817 Nov 08 '11 at 04:49
1

@lc2817: if your certificate is available locally to the client then you could add it as a trusted certificate (CA). The links contain examples (`ca_certs` for `ssl`; `store.add_cert()` for answer that uses Twisted, `CAINFO` for `pycurl`). Another example: [urllib2_ssl.py](https://gist.github.com/1347055) (use `ca_certs` to add your self-signed certificate to the trusted list). – jfs Nov 08 '11 at 05:39

HTTPS Python client

2 Answers2