19

Just trying to set up a simple SSL server. I have never had anything SSL work for me in the past. I have a loose understanding of how SSL certificates and signing.

The code is simple

import socket, ssl

context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
context.load_cert_chain(certfile="mycertfile") ###############

bindsocket = socket.socket()
bindsocket.bind(('', 2099))
bindsocket.listen(5)

while True:
    newsocket, fromaddr = bindsocket.accept()
    sslsoc = context.wrap_socket(newsocket, server_side=True)
    request = sslsoc.read()
    print(request)

The line in there with the ###s after it is the one that isnt working. I don't know what I have to do with openssl to generate a PEM file that will work here.

Can anyone enlighten me as to how to make this simple socket work.

By the way, this is NOT used for HTTP.

Improve this question
6
  • If you're amenable to using twisted, there's a good example here that uses OpenSSL: twistedmatrix.com/documents/current/core/howto/ssl.html Looks like that requires a certificate and a public key, where the certificate is signed with the public key's private pair. Commented Jun 29, 2012 at 3:31
  • That's good and it looks rather simpler, but all I need are the commands to generate the correct file to use. I tried it a little while ago but got very strange errors. Oviously I didn't sign it correctly or use the right file. Commented Jun 29, 2012 at 4:20
  • It looks like there are a lot of tutorials for this, have you tried following this one, for example? devsec.org/info/ssl-cert.html Commented Jun 29, 2012 at 4:35
  • 1
    try: openssl req -x509 -nodes -days 7 -newkey rsa:2048 -keyout mycertfile.pem -out mycertfile.pem (google 'create self-signed test certificate') Commented Jun 29, 2012 at 4:41
  • 7
    In the future when posting to SO, please don't just say "it's not working", if there is an exception, error messages or anything else diagnostic printed out, then include that in the question. Verbatim, so copy-and-paste, do not edit the information. It will help a lot getting correct answers. Also, as you found the problem then you should post that as an answer and accept it. It will help future visitors to find it more easily. Commented Jun 29, 2012 at 5:55

2 Answers 2

Reset to default
30

you can use this command to generate a self-signed certificate

openssl req -new -x509 -days 365 -nodes -out cert.pem -keyout cert.pem

the openssl framework will ask you to enter some information, such as your country, city, etc. just follow the instruction, and you will get a cert.pem file. the output file will have both your RSA private key, with which you can generate your public key, and the certificate. the output file looks like this:

-----BEGIN RSA PRIVATE KEY-----
 # your private key
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
 # your certificate
-----END CERTIFICATE-----

just load it, and the ssl module will handle the rest for you:

context.load_cert_chain(certfile="cert.pem", keyfile="cert.pem")

btw, there is no "SSLContext" in python2. for guys who are using python2, just assign the pem file when wrapping socket:

newsocket, fromaddr = bindsocket.accept()
connstream = ssl.wrap_socket(newsocket,
                             server_side=True,
                             certfile="cert.pem",
                             keyfile="cert.pem",
                             ssl_version=YOUR CHOICE)

available ssl version: ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23. if you have no idea, ssl.PROTOCOL_SSLv23 may be your choice as it provides the most compatibility with other versions.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

to create context, call ssl.create_default_context function (it works on the recent Python 2 versions too).
I know this is an old post, but due to the POODLE vulnerability no-one should be advising the use of SSLv3 over TLS. More information at en.wikipedia.org/wiki/POODLE
-1

In your example, you provide a certfile, but no keyfile. Both are required.

Improve this answer

1 Comment

You note is ok but you should say in comments.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.