Geek Answers Handbook

Client Certificates and Mutual Authentication in Python

I am trying to configure based on Use TLS and Python for authentication with proper key authentication.

After several days of trying to configure the correct ssl certificates, I get this error.

[Failure instance: Traceback: <class 'OpenSSL.SSL.Error'>: [('SSL routines', 'SSL3_GET_CLIENT_CERTIFICATE', 'no certificate returned')] /usr/lib/python2.7/dist-packages/twisted/internet/posixbase.py:614:_doReadOrWrite /usr/lib/python2.7/dist-packages/twisted/internet/tcp.py:215:doRead /usr/lib/python2.7/dist-packages/twisted/internet/tcp.py:221:_dataReceived /usr/lib/python2.7/dist-packages/twisted/protocols/tls.py:419:dataReceived --- <exception caught here> --- /usr/lib/python2.7/dist-packages/twisted/protocols/tls.py:358:_flushReceiveBIO ]

From the output of this from the server:

 def connectionLost(self, reason): print reason

I am not sure where I am wrong in generating certificates.

This is my code for creating a certification authority

 ##------------------------------ Creating CA -------------------------------## cd /etc/ssl mkdir CA cd CA ## Make storage dirs mkdir certs crl newcerts private ## fix permissions and create directories chmod 700 private touch index.txt echo 1000 > serial ## Create a private key openssl genrsa -aes256 -out /etc/ssl/CA/private/ca.key.pem 4096 ## pass = nill ##/etc/ssl/CA/private/ca.key.pem chmod 400 /etc/ssl/CA/private/ca.key.pem ## change stuff in ssl config file nano /etc/ssl/openssl.cnf ### dir = /etc/ssl/CA # Where everything is kept ## Left out ##keyUsage = nonRepudiation, digitalSignature, keyEncipherment #### ##Self sign CA certificate openssl req -new -x509 -days 3650 -key /etc/ssl/CA/private/ca.key.pem -sha256 -extensions v3_ca -out /etc/ssl/CA/certs/ca.cert.pem ### US AZ AZ Nameless CA Certificate Authority Nameless CA 3Nameless22222@Nameless.com ### ## This is the CA public key chmod 444 /etc/ssl/CA/certs/ca.cert.pem cp /etc/ssl/CA/certs/ca.cert.pem /etc/ssl/certs/ca.cert.pem ## Join ca.cert.pem and ca.key.pem into a file named ca.private.cert.pem ## in /etc/ssl/private/ca.private.cert.pem ##---------------------------- Creating CA END -----------------------------##

Server key

 ##-------------------------- Creating Server Key ---------------------------## cd /etc/ssl/CA ##Create private key for server openssl genrsa -out private/servermain.key.pem 4096 chmod 400 private/servermain.key.pem ##Create signing request cd /etc/ssl/CA openssl req -sha256 -new -key private/servermain.key.pem \ -out certs/servermain.csr.pem Country Name (2 letter code) [XX]:US State or Province Name (full name) []:AZ Locality Name (eg, city) [Default City]:AZ Organization Name (eg, company) [Default Company Ltd]:Nameless CA Organizational Unit Name (eg, section) []:Certificate Authority Common Name (eg, your name or your server hostname) []:mainserver Email Address []: 3Nameless22222@Nameless.com ### cd /etc/ssl/CA ## Sign servers signing request openssl ca -keyfile private/ca.key.pem -cert certs/ca.cert.pem \ -extensions usr_cert -notext -md sha256 \ -in certs/servermain.csr.pem -out certs/servermain.cert.pem chmod 444 /etc/ssl/CA/certs/nill.cert.pem ## Join servermain.cert.pem and servermain.key.pem into a file named ## server.pem in /etc/ssl/private/server.pem ##------------------------ Creating Server Key End -------------------------##

Creating a client certificate:

 ##------------------------ Create New Client Certs -------------------------## from twisted.python.filepath import FilePath from twisted.internet.ssl import PrivateCertificate, KeyPair, DN def getCAPrivateCert(): #path to a private key ## needs to be the path to a CA private key for signing privatePath = FilePath(b"/etc/ssl/private/cacert.pem") if privatePath.exists(): return PrivateCertificate.loadPEM(privatePath.getContent()) else: print "CRASH TIME" def clientCertFor(name): signingCert = getCAPrivateCert() clientKey = KeyPair.generate(size=4096) csr = clientKey.requestObject(DN(CN=name), "sha1") clientCert = signingCert.signRequestObject( csr, serialNumber=1, digestAlgorithm="sha1") return PrivateCertificate.fromCertificateAndKeyPair(clientCert, clientKey) if __name__ == '__main__': import sys name = sys.argv[1] pem = clientCertFor(name.encode("utf-8")).dumpPEM() FilePath(name.encode("utf-8") + b".client.private.pem").setContent(pem) ##---------------------- Create New Client Certs End -----------------------##

Server creation

 ##--------------------------------- Server ---------------------------------## ## Note: server.pem is the servers certificate joined with the public key ## servermain.key.pem ## servermain.cert.pem ## ca.cert.pem is the CA public certificate from twisted.python.filepath import FilePath from twisted.internet.endpoints import SSL4ServerEndpoint from twisted.internet.ssl import PrivateCertificate, Certificate from twisted.internet.defer import Deferred from twisted.internet.task import react from twisted.internet.protocol import Protocol, Factory CERTFILE = "/etc/ssl/certs/ca.cert.pem" SERVERCERT = "/etc/ssl/private/server.pem" class ReportWhichClient(Protocol): def dataReceived(self, data): print "****************** NEW PEER REQUEST ******************" ## Get peer cert id peerCertificate = Certificate.peerFromTransport(self.transport) userkey = peerCertificate.getSubject().commonName.decode('utf-8') print userkey def connectionMade(self): print "connected" def connectionLost(self, reason): print reason def main(reactor): print "react" #Path to CA public key cacert = FilePath(CERTFILE).getContent() #Path to Server private key pemBytes = FilePath(SERVERCERT).getContent() ## should be ca public key from sudo mv cacert.pem /etc/ssl/certs/? certificateAuthority = Certificate.loadPEM(pemBytes) myCertificate = PrivateCertificate.loadPEM(pemBytes) serverEndpoint = SSL4ServerEndpoint(reactor, 4321, myCertificate.options(certificateAuthority)) serverEndpoint.listen(Factory.forProtocol(ReportWhichClient)) return Deferred() react(main, []) ##------------------------------- Server End -------------------------------##

Client:

 ##---------------------------- Client function -----------------------------## ##Main key reading class @inlineCallbacks def main(reactor, name): ## Client private key pem = FilePath(name.encode("client1.key.pem").getContent() #CA public key caPem = FilePath(b"ca.cert.pem").getContent() clientEndpoint = SSL4ClientEndpoint( reactor, u"localhost", 4321, optionsForClientTLS(u"Nameless CA", Certificate.loadPEM(caPem), PrivateCertificate.loadPEM(pem)), ) proto = yield clientEndpoint.connect(Factory.forProtocol(SendAnyData)) yield proto.deferred import sys react(main, sys.argv[1:]) ##-------------------------- Client function End ---------------------------##
0
python twisted ssl openssl
source share

No one has answered this question yet.

See similar questions:

7
Use TLS and Python for authentication
0
Allow connections only by the client with certificates signed by the organizational center

or similar:

5504
Does Python have a ternary conditional operator?
5231
What are metaclasses in Python?
4473
Calling an external command in Python
3790
How can I safely create a subdirectory?
3602
Does Python have a "contains" substring method?
3119
What is the difference between Python list methods that are added and expanded?
2818
Finding an index of an element with a list containing it in Python
2601
How can I make a time delay in Python?
2568
How to find out the current time in Python
1146
How to create a self-signed certificate with OpenSSL

More articles:


All Articles