Python simple SSL communication

Question

I want to initiate a simple SSL connection between a client and a server written in python 3, but I am getting errors.

Here is the server code :

#/usr/bin/python3
import socket
import ssl

HOST, PORT = '0.0.0.0', 12345

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.bind((HOST, PORT))
sock.listen(10)
client, addr = sock.accept()

# WRAP SOCKET
wrappedSocket = ssl.wrap_socket(client, server_side=True, ssl_version=ssl.PROTOCOL_SSLv23, ciphers="ADH-AES256-SHA")

# CONNECT AND PRINT REPLY

print(wrappedSocket.recv(1024))

# CLOSE SOCKET CONNECTION
wrappedSocket.close()

And here is the client code :

#/usr/bin/python3

import socket
import ssl

HOST, PORT = '127.0.0.1', 12345

# CREATE SOCKE
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# WRAP SOCKET
wrappedSocket = ssl.wrap_socket(sock, ssl_version=ssl.PROTOCOL_SSLv23, ciphers="ADH-AES256-SHA")

# connect and send a message
wrappedSocket.connect((HOST, PORT))
wrappedSocket.send(b"Hello")

wrappedSocket.close()

And here is the error that I am having on the server side :

Traceback (most recent call last):

File "server.py", line 18, in

wrappedSocket = ssl.wrap_socket(client, server_side=True, ssl_version=ssl.PROTOCOL_SSLv23, ciphers="ADH-AES256-SHA")

File "/usr/lib/python3.4/ssl.py", line 890, in wrap_socket ciphers=ciphers)

File "/usr/lib/python3.4/ssl.py", line 509, in init raise ValueError("certfile must be specified for server-side "

ValueError: certfile must be specified for server-side operations

Please, I don't want a complicated SSL connection, I am just looking for the simplest way possible to encrypt the data between the client and the server, just like ncat with the --ssl option ( ncat --ssl -l -p 12345 from the server side, and ncat --ssl 127.0.0.1 12345 from the client side).

PS : I am using Ubuntu 15.10 and Python 3.

Answer 1

You can generate a self-signed certificate using openssl and specify in wrap_socket the certfile attribute and the keyfile attribute server side

Generating an RSA public/private-key pair

openssl genrsa -out private.pem 2048

Generating a self-signed certificate

openssl req -new -x509 -key private.pem -out cacert.pem -days 1095

Answer 2

Using SSL as the security protocol will require you to either create or purchase SSL certificates since that is a required part of the handshake.

From RFC 6101

5.6.2. Server Certificate

If the server is to be authenticated (which is generally the case), the server sends its certificate immediately following the server hello message. The certificate type must be appropriate for the
selected cipher suite's key exchange algorithm, and is generally an X.509.v3 certificate

Answer 3

Pass your certfile to the wrapper:

 from http.server import HTTPServer, SimpleHTTPRequestHandler
 import ssl
 httpd = HTTPServer(('localhost', 4443), SimpleHTTPRequestHandler)
 httpd.socket = ssl.wrap_socket(httpd.socket, 
                 certfile='/tmp/tcert_key.pem', server_side=True)
 httpd.serve_forever()

Then you have to enter your passphrase for your selfsigned secured private key. The integrated key file (certfile) can be generated with cat or type in the shell:

type tkey.pem tcert.pem > tcert_key.pem

is equivalent of:

$ cat file1 file2 > file3

It is possible to remove the passphrase of the private key file for the secured server side case. OpenSSL provides utils to do that. For example:

 openssl pkey -in yourkey-with-pass.pem -out yourkey-without-pass.pem