0% found this document useful (0 votes)
4 views7 pages

Lecture 9 - Advanced Python TLS Programming_Handouts

The document covers advanced topics in Python TLS programming, focusing on certificate verification, TLS connection information, and manual verification processes. It details how to specify trusted certificates, change verification modes, and retrieve remote certificate information. Additionally, it includes a tutorial and lab objectives for modifying client and server programs to implement self-signed certificates and validate them.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
4 views7 pages

Lecture 9 - Advanced Python TLS Programming_Handouts

The document covers advanced topics in Python TLS programming, focusing on certificate verification, TLS connection information, and manual verification processes. It details how to specify trusted certificates, change verification modes, and retrieve remote certificate information. Additionally, it includes a tutorial and lab objectives for modifying client and server programs to implement self-signed certificates and validate them.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

Advanced Python TLS

Programming

© 2024 Swinburne University of Technology 1

9.1 Advanced Certificate


Verification

© 2024 Swinburne University of Technology 2


Advanced Certificate Verification
Specifying the Certificate Root Store

When Creating Context


• cafile to specify which file should be used as
only trusted certificate
• capath to specify which folder contains all trusted
certificates
• cadata – a string containing directly encoded
certitificate

Afterwards
• load_verify_locations() with same parameters
• Allows optional configuration or more complexity

© 2024 Swinburne University of Technology 3

Advanced Certificate Verification


Changing Verification Mode
ssl.CERT_NONE
• Accept any certificate
• Not secure
• Default for server

ssl.CERT_OPTIONAL
• Server will request client to provide certificate
• Client not obligated to do so

ssl.CERT_REQUIRED
• Default for client
• Remote Certificate must be validated

Set via SSLContext.verify_mode variable

© 2024 Swinburne University of Technology 4


Advanced Certificate Verification
Specifying the Common Name

Client will check that the remote system


common name matches

What if the certificate name refers to a


different system
• Can set common name when wrapping the
socket via server_hostname=“common name”
• Can set directly on an SSLSocket via
SSLSocket.server_hostname = “common name”

© 2024 Swinburne University of Technology 5

9.2 Getting TLS Connection


Information

© 2024 Swinburne University of Technology 6


TLS Connection Information
Remote Certificate Information

SSLSocket.getpeercert()
• After connection is established, can call this
method on the SSLSocket
• Returns a Python dictionary containing certificate
information sent by remote site
• Can decode and print useful information

Other Uses
• If manually verifying certificates, can be useful
• Can validate different parts of remote certificate
before completing handshake manually

© 2024 Swinburne University of Technology 7

TLS Connection Information


Encryption Algorithms
SSLContext
• get_ciphers() – return the list of all
supported encryption algorithms
• set_ciphers() – filter supported algorithms
• Limit which algorithms may be used

SSLSocket
• cipher()
• Returns actual selected algorithm information

© 2024 Swinburne University of Technology 8


9.3 Manual Verification

© 2024 Swinburne University of Technology 9

Manual Verification
Slowing the Process Down
Stopping TLS Handshake from automatically
running
• When wrapping socket, turn handshake functionality
off
• Parameter: do_handshake_on_connect=False
• Default True
• Connection will establish, but no encryption will be
enabled

Then Manually run the TLS Handshake


• Can directly call SSLSocket.do_handshake()
• Runs handshake, also checks common name matches
• Allows for complex certificate verification

Why would you do this


• Complex scenarios © 2024 Swinburne University of Technology 10
9.4 Tutorial and Laboratory

© 2024 Swinburne University of Technology 11

Week 9
Tutorial – TLS Programming

Questions relating to TLS Programming in Python


• Lecture 7 – TLS Libraries and The TLS Context
• Lecture 8 – TLS Context and SSLContext
• Lecture 9 – Advanced Topics

© 2024 Swinburne University of Technology 12


Week 9
Lab – Python Programming
In this lab, you will complete the following objectives:
• Modify your Client program from the previous lab to allow the Client to authenticate itself
with a self-signed Certificate
• Modify Server program to validate the Client certificate
Credit Task:
• Client and Server should both retrieve and print certificate information to screen after
TLS connection is established
• Both Client and Server certificates should be signed by a private Certificate authority
Distinction Task:
• Client and Server certificates should be signed by a certificate chain including a private
Intermediate Authority and a private Certificate authority
© 2024 Swinburne University of Technology 13

You might also like