Issue 11943: Add TLS-SRP (RFC 5054) support to ssl, _ssl, http, and urllib (original) (raw)

Created on 2011-04-27 22:28 by sqs, last changed 2022-04-11 14:57 by admin. This issue is now closed.

Files
File name	Uploaded	Description	Edit
python+tls-srp-20110427.patch	sqs,2011-04-27 22:28	add TLS-SRP (RFC 5054) support to ssl, _ssl, http, urllib + tests

| Repositories containing patches | | | | | ---------------------------------------------------------------------------------------------- | | | | | https://bitbucket.org/sqs/cpython | | | |

Messages (12)
msg134627 - (view)	Author: Quinn Slack (sqs)	Date: 2011-04-27 22:28
This patch adds support for TLS-SRP (RFC 5054[1]) to Python ssl.SSLSocket, _ssl.c, http, and urllib. TLS-SRP lets a client and server establish a mutually authenticated SSL channel using only a username and password (a certificate may also be used to supplement authentication). TLS-SRP is supported in GnuTLS, OpenSSL 1.0.1 (soon to be released), cURL, TLSLite (a Python module), and mod_gnutls. There are also patches for Chrome, NSS, mod_ssl, Django, Firefox, WordPress, and SJCL (see [2]). Much of the growing interest in TLS-SRP is because a couple key PAKE patents expired recently. Also, CAs are perceived as more vulnerable now than a few years ago, and in certain cases TLS-SRP is a good substitute for or supplement to certificate auth. Two Python-specific use cases for TLS-SRP are calling HTTP APIs that require auth, and test suites written in Python for networked software (e.g., Chromium uses TLSLite for network testing). I'm submitting this patch now to begin gathering feedback. ########################################################### EXAMPLE USAGE ########################################################### import urllib.request res = urllib.request.urlopen("https://tls-srp.test.trustedhttp.org/" tls_username='jsmith', tls_password='abc') print(res.read()) # => "user: jsmith" ########################################################### import ssl, http context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) context.set_tls_username_password('jsmith', 'abc') h = http.client.HTTPSConnection('tls-srp.test.trustedhttp.org', 443, context=context) h.request('GET', '/') resp = h.getresponse() print(resp.status) # => 200 print(resp.read()) # => "user: jsmith" ########################################################### import socket, ssl with socket.socket() as sock: s = ssl.wrap_socket(sock, ssl_version=ssl.PROTOCOL_TLSv1, ciphers='SRP', tls_username='jsmith', tls_password='abc') s.connect(('tls-srp.test.trustedhttp.org', 443)) s.write(b"GET / HTTP/1.0\n\n") print(s.read()) ########################################################### [1] http://tools.ietf.org/html/rfc5054 [2] http://trustedhttp.org/ [3] http://trustedhttp.org/wiki/TLS-SRP_in_Python
msg134675 - (view)	Author: Jesús Cea Avión (jcea) *	Date: 2011-04-28 13:20
The idea seems interesting. I will check the RFC ASAP. The patch should include documentation updates, though. You can update the issue number in the NEWS file, also. Do you plan to complete the sections marked as "TODO"? PS: The mercurial repository URL you are linking has an unnedeed username, and firefox complains about it.
msg134676 - (view)	Author: Jesús Cea Avión (jcea) *	Date: 2011-04-28 13:23
Also, I will not invest too much time on this until OpenSSL 1.0.1 is released, with support for this.
msg134684 - (view)	Author: Quinn Slack (sqs)	Date: 2011-04-28 15:25
Thanks for checking this out. Yes, this should wait for OpenSSL 1.0.1. I will fix the TODO. It is there because the current TLS-SRP patch to OpenSSL uses old (pre-RFC 5054) TLS alert values for when the SRP username isn't in the Client Hello. I'm preparing another patch to OpenSSL to fix these, and then I'll update this patch. I'll also include docs.
msg134920 - (view)	Author: Antoine Pitrou (pitrou) *	Date: 2011-05-01 19:19
Thanks for the patch. Some preliminary comments: - the OpenSSL functions you are using (SSL_get_srp_username etc.) don't seem documented on openssl.org; this makes it harder to do a proper review - no need to fill Misc/ACKS and Misc/NEWS by yourself, we can take care of that - what is an "SRP vbase"? is it something standardized, or OpenSSL-specific? - if server-side support needs a callback, I think it would be better to let users write their callback in Python, rather than force a hardwired implementation - ssl.wrap_socket() is the legacy API, I would rather add new features only to the SSLContext API
msg135164 - (view)	Author: Quinn Slack (sqs)	Date: 2011-05-04 23:57
I have updated the patch in hg to address the sections marked "TODO" (after I submitted a patch to OpenSSL that they depended on). I'll resubmit a patch here in a ~week addressing that issue and those below, to continue pushing this issue along. pitrou: Thanks for your feedback. > - the OpenSSL functions you are using (SSL_get_srp_username etc.) don't seem documented on openssl.org; this makes it harder to do a proper review Yes...I'll submit some docs to OpenSSL on these functions. > - what is an "SRP vbase"? is it something standardized, or OpenSSL-specific? > - if server-side support needs a callback, I think it would be better to let users write their callback in Python, rather than force a hardwired implementation An SRP "vbase" is OpenSSL's name for the SRP password (verifier) database. I will generalize this interface so that Python callbacks can be provided (in addition to using an OpenSSL verifier database). > - no need to fill Misc/ACKS and Misc/NEWS by yourself, we can take care of that > - ssl.wrap_socket() is the legacy API, I would rather add new features only to the SSLContext API Got it.
msg159951 - (view)	Author: Antoine Pitrou (pitrou) *	Date: 2012-05-04 17:53
Quinn, are you planning to work on an updated patch?
msg170223 - (view)	Author: Jesús Cea Avión (jcea) *	Date: 2012-09-10 19:41
Ping!.
msg170282 - (view)	Author: Senthil Kumaran (orsenthil) *	Date: 2012-09-11 09:20
2012/9/10 Jesús Cea Avión <report@bugs.python.org>: > > Ping!. Guess, it is still for 3.4.
msg170307 - (view)	Author: Jesús Cea Avión (jcea) *	Date: 2012-09-11 13:52
Yes, 3.4. I would hate to rush, in two years, because this issue was neglected during 18 months :) No reason for not starting now.
msg170308 - (view)	Author: Antoine Pitrou (pitrou) *	Date: 2012-09-11 14:05
Le mardi 11 septembre 2012 à 13:52 +0000, Jesús Cea Avión a écrit : > No reason for not starting now. There's no point in being pushy, though. If you want to "start", the best thing is to work on the patch and update it.
msg301476 - (view)	Author: Christian Heimes (christian.heimes) *	Date: 2017-09-06 14:54
This feature request has been idle for five years. Although TLS-SRP is nice to have, it is not a priority for protocols such as HTTPS. I neither have time nor motivation to create a patch myself. Therefore I'm closing this issue of lack of activity. Please feel free to re-open it with a patch against 3.7.

History
Date	User	Action	Args
2022-04-11 14:57:16	admin	set	github: 56152
2017-09-06 14:54:35	christian.heimes	set	status: open -> closedresolution: out of datemessages: + stage: patch review -> resolved
2016-09-15 07:53:57	christian.heimes	set	assignee: christian.heimescomponents: + SSL
2016-09-08 15:31:03	christian.heimes	set	components: + Extension Modulesversions: + Python 3.7, - Python 3.4
2015-08-21 15🔞48	njouanin	set	nosy: + njouanin
2013-06-14 14:08:58	christian.heimes	set	nosy: + christian.heimes
2012-09-11 14:05:24	pitrou	set	messages: +
2012-09-11 13:52:55	jcea	set	messages: +
2012-09-11 09:20:25	orsenthil	set	messages: +
2012-09-10 19:41:17	jcea	set	messages: +
2012-06-29 00:05:46	pitrou	set	versions: + Python 3.4, - Python 3.3
2012-05-04 17:53:32	pitrou	set	messages: +
2011-05-04 23:57:21	sqs	set	messages: +
2011-05-01 19:19:20	pitrou	set	messages: +
2011-04-28 15:25:26	sqs	set	messages: +
2011-04-28 13:23:21	jcea	set	messages: +
2011-04-28 13:20:39	jcea	set	messages: +
2011-04-28 13:07:29	orsenthil	set	nosy: + orsenthil
2011-04-28 12:59:14	jcea	set	nosy: + jcea
2011-04-27 22:55:08	pitrou	set	nosy: + pitrou, debatem1type: enhancementstage: patch review
2011-04-27 22:28:50	sqs	create