Lecture 8 - Python TLS - Context and SSLSocket_Handouts.pdf

Full Transcript

Python TLS – Context
and SSLSocket

© 2024 Swinburne University of Technology 1

8.1 The TLS Context

© 2024 Swinburne University of Technology 2
TLS Context
What is the Purpose of the TLS Context - Refresher

TLS Context manages TLS
configurations
New Connections
Multiple Connections
Allows you to specify application-wide
settings for all secure communications

Wrapping the Socket
You cannot just create an SSLSocket
1. Create Context
2. Create Socket
3. Wrap Socket with Context to create
an SSLSocket

© 2024 Swinburne University of Technology 3

TLS Context
Creating the Context - Refresher

Don’t try to create the context directly
Library provides helper functions
Use create_default_context()

First Parameter – Specify TLS Purpose
Are you acting as a server or client

Other Parameter – Certificate
Specify certificate verification settings

© 2024 Swinburne University of Technology 4
TLS Context
Setting Context Details – Typical Configuration

Purpose
You would typically only need to set the
Context Purpose
Purpose.SERVER_AUTH – for developing a
client
Purpose.CLIENT_AUTH – for developing a
server

Default Settings
Purpose.SERVER_AUTH
Use central root certificate store

© 2024 Swinburne University of Technology 5

TLS Context
More Complex Settings

Private Certificates
You can specify alternate trusted
certificates
For self-signed or private authority
Can be provided when creating the
context or later

TLS Versions
What if the other side is using older
software
May need to specify particular options in
context to enable older versions of TLS

© 2024 Swinburne University of Technology 6
 8.2 Creating the SSLSocket

© 2024 Swinburne University of Technology 7

Creating the SSLSocket
Wrapping the Socket
Client
Create the Socket
Call wrap_socket() method on Context with
Socket variable – returns SSLSocket
Do NOT call Socket.connect() – wrap socket first,
then call SSLSocket.connect()
Server
Create the Socket
Call Socket.bind() and Socket.listen()
Option 1
Call Socket.accept()
Wrap returned Socket with Context
Option 2
Wrap listening socket with Context
Call SSLSocket.accept() – this will create and
return an SSLSocket
Always pass server_side=True to wrap_socket() call
© 2024 Swinburne University of Technology 8
Creating the SSLSocket
After you have an SSLSocket
SSLSocket
Wraps all normal Socket methods with the same functionality
Except communications are encrypted

Self-Signed Certificates
Verification will typically fail
You would have to specify the certificate to trust either:
When creating Context
Call load_cert_chain() after Context is created

Example - Browser
Verification will fail
Get failed certificate and temporarily store locally
Ask user to trust certificate
Call load_cert_chain() with stored certificate
Try again – two attempts © 2024 Swinburne University of Technology 9

8.3 Cleaner Programming

© 2024 Swinburne University of Technology 10
Cleaner Programming
Not Letting your Program Crash
When something goes wrong, most
Python code will throw an exception
If not caught, your program will crash
Reasonable error message, but also
messy output
Should use Python try/except block
Catch and handle the exception

try:
…
Code that can fail
…
except Exception as e:
…
Handle exception
…
© 2024 Swinburne University of Technology 11

8.4 Tutorial and Laboratory

© 2024 Swinburne University of Technology 12
Week 8
Tutorial – Project Overview

Project Introduction
Introduction to Graded Project within your Portfolio
Overview of requirements
Overview of grading scheme

© 2024 Swinburne University of Technology 13

Week 8
Lab – Python Programming

In this lab, you will complete the following objectives:
Convert two Python programs that implement a TCP Echo client and server to use TLS
Server to use a self-signed certificate
Client to verify self-signed certificate
Credit Task:
Client should retrieve and print certificate information to screen after TLS connection is
established

© 2024 Swinburne University of Technology 14