Webservers with Python - SSL & CAC Authentication

Tuesday, March 25 2008 @ 01:11 PM CDT

Contributed by: Yeraze

Working in the DOD, there are a few things you just come to accept.  Webservers require security (SSL), and SSL requires Common Access Card Authentication.  I had hoped that when I implemented the HTTP Monitor for Freezerburn, I could ignore all the security aspects and simply say that "It's behind all the government firewalls" and "It requires an account on the fileserver".  I wasn't so lucky.

After alot of research from articles like:

I finally came up with a way to make it work, that required very little variation from Python's built-in HTTPServer object.  Starting with the ASPN Cookbook recipe for SecureHTTPServer, I came up with the following:
import socket, os
from SocketServer import BaseServer
from BaseHTTPServer import HTTPServer
from SimpleHTTPServer import SimpleHTTPRequestHandler
from SocketServer import ThreadingMixIn
from OpenSSL import SSL
import sys

class SecureHTTPServer(HTTPServer):
    def __init__(self, server_address, HandlerClass,
                dodcerts, serverkey, servercert):
        BaseServer.__init__(self, server_address, HandlerClass)
        #  Based on online Documentation, the v23 actually enables TLS1 as well.
        ctx = SSL.Context(SSL.SSLv23_METHOD)
        #ctx = SSL.Context(SSL.TLSv1_METHOD)

        print "Loading Private Key from %s" % serverkey
        ctx.use_privatekey_file (serverkey)
        print "Loading Certificate from %s" % servercert
        ctx.use_certificate_file(servercert)
        print "Loading DOD Certifications from %s" % dodcerts
        ctx.set_verify_depth(2)
        ctx.load_client_ca(dodcerts)
        ctx.load_verify_locations(dodcerts)

        print "Creating SSL socket"
        callback = lambda conn,cert,errno,depth,retcode: retcode
        ctx.set_verify( SSL.VERIFY_FAIL_IF_NO_PEER_CERT | SSL.VERIFY_PEER, callback)
        ctx.set_session_id('Freezerburn')
        self.socket = SSL.Connection(ctx, socket.socket(self.address_family,
                                                        self.socket_type))
        self.server_bind()
        self.server_activate()

class SecureHTTPRequestHandler(SimpleHTTPRequestHandler):
    def setup(self):
        self.connection = self.request
        self.rfile = socket._fileobject(self.request, "rb", self.rbufsize)
        self.wfile = socket._fileobject(self.request, "wb", self.wbufsize)

This creates a new object called the "SecureHTTPServer" that acts just like the regular HTTPServer, except it allows you to specify the location of the DOD Root Certificates, the Server Private Key, and the Server SSL Certificate.  The only real difference from the ASPN one is that it turns on Client Certificate Verification, which is the core of the CAC Authentication scheme.  With that little snippet of code, SSL & CAC were enabled in one fell swoop!

Technorati Tags: , ,

Comments (0)

Yeraze's Domain
http://www.yeraze.com/article.php/20080325131104732