SSL Mutual Authentication - Client and Server Side. Python & # 8594; Django / Twisted / Tornado
I am creating a python application where the client side will request xml pages from the server (python also works).
I would like to do something on the line of the puppet configuration management system. Puppet works as follows:
1) If the client is working for the first time, it generates a certificate signing request and a private key. The first is the x509 certificate, which is itself signed.
2) The client connects to the master (the client is not authenticated at the moment) and sends a CSR, it will also receive a CA certificate and CRL in response.
3) The wizard stores the CSR locally
4) The administrator verifies the CSR and may eventually sign it (this process can be automated with auto-recording). I highly recommend checking the certificate fingerprint at this point.
5) The client waits for his signed certificate, which the master eventually sends.
6) All subsequent messages will use this client certificate. Both master and client will authenticate each other by virtue of sharing the same CA.
(from http://www.masterzen.fr/2010/11/14/puppet-ssl-explained/ )
The main things I don't know how to do:
- What are the best libraries to use?
- What to use on the server side? Will Django behind apache / nginx sign the certificate on first launch and authorize using certificates later on, or do I need to use something like twisted on the front side?
- The best way to send CSR is POST to server?
- Does anyone know if there are some code examples that will cover both client and server sides?
- Is there any other way to establish a reliable connection between client / server without human iteration (which is best for authentication between web services)?
source to share
There's a Python wrapper around M2Crypto called pki , which makes CSR creation so easy. You should be able to use Django for this, I see no reason why you would need Twisted.
You can also send CSR using POST, yes, there is nothing confidential there - that's the point.
The pki package I linked to has some pretty thorough docstrings that should catch you.
I don't think you can establish a "trusted connection" without any human intervention. Trust is a human concept - and so you will need to approve at least the first connection request, and hopefully you make sure that the person trying to connect is indeed authorized.
Note that "verification" in this context means calling a person and asking who they are and why they are trying to connect to your service and ask them to confirm the fingerprint of the private key used for the CSR.
source to share