HOWTO: Programming HTTPS in Python with M2Crypto

Pheng Siong Ng

ngps@netmemetic.com

Revision History
Revision $Revision: 1.1 $$Date: 2003/06/22 16:41:18 $


Introduction

M2Crypto is a Python interface to OpenSSL. It makes available to the Python programmer SSL functionality to implement clients and servers, S/MIME v2, RSA, DSA, DH, symmetric ciphers, message digests and HMACs.

This document demonstrates programming HTTPS with M2Crypto.


Programming HTTPS

HTTPS - HTTP over SSL/TLS

Python has had good HTTP support for several years now. M2Crypto's HTTPS functionality mostly adopts the interfaces in Python's HTTP modules.

In this HOWTO, we shall begin with writing HTTPS clients. Now, to test the HTTPS clients we write, we need a HTTPS server; conversely, to test our HTTPS servers, we need a HTTPS client. ;-)

All the programs we write in this HOWTO are found in <m2crypto>/demo/https.howto/. Additionally, a number of programs from <m2crypto>/demo/ssl are also copied into this directory; their names are prefixed by "orig". These "orig" programs shall be our known-working HTTPS clients and servers.


ssldump

ssldump "is an SSLv3/TLS network protocol analyser. It identifies TCP connections on the chosen network interface and attempts to interpret them as SSLv3/TLS traffic. When it identifies SSLv3/TLS traffic, it decodes the records and displays them in a textual form to stdout. If provided with the appropriate keying material, it will also decrypt the connections and display the application data traffic.

If linked with OpenSSL, ssldump can display certificates in decoded form and decrypt traffic (provided that it has the appropriate keying material)."

ssldump is written by Eric Rescorla.


orig-https-srv.py

orig_https_srv.py is an enhanced version of SimpleHTTPServer that features the following:

Invoke orig_https_srv.py thusly:

$ python orig_https_srv.py

By default, orig_https_srv.py serves HTTPS on port 9443.


A bit of history

M2Crypto was created during the time of Python 1.5, which features a module httplib providing client-side HTTP functionality. M2Crypto sports a httpslib based on httplib.

Beginning with version 2.0, Python's socket module provided (rudimentary) SSL support. Also in the same version, httplib was enhanced with class HTTPConnection, which is more sophisticated than the old class HTTP, and HTTPSConnection, which does HTTPS.

Subsequently, M2Crypto.httpslib grew a compatible (but not identical) class HTTPSConnection.

The primary interface difference between the two HTTPSConnection classes is that M2Crypto's version accepts an M2Crypto.SSL.Context instance as a parameter, whereas Python 2.x's SSL support does not permit Pythonic control of the SSL context.

Within the implementations, Python's HTTPSConnection employs a FakeSocket object, which collects all input from the SSL connection before returning it to the application as a StringIO buffer, whereas M2Crypto's HTTPSConnection uses a buffering M2Crypto.BIO.IOBuffer object that works over the underlying M2Crypto.SSL.Connection directly.


A simple HTTPS-POST client


A multi-threaded HTTPS client


An asynchronous session-reusing client


Verifying server certificate


Using client certificate


SimpleHTTPSServer


A Medusa-based HTTPS server


Client certificate-based authentication


Controlling session reuse