Hamburg Python Pizza 2019: ssl module 10

ssl module 101
Python Pizza 2019 / Hamburg
Christian Heimes
Principal Software Engineer
[email protected] / [email protected]
@ChristianHeimes

View Slide

ssl module 101, Python Pizza Hamburg 2019, @ChristianHeimes, CC BY-SA 4.0
2
Who am I?
●
Python core developer since 2008
●
maintainer of ssl and hashlib module
●
Python security team
●
Red Hat Security Engineering
●
FreeIPA Identity Management
●
Dogtag PKI
●
from Hamburg

View Slide

3

View Slide

4
Wikipedia definition
Transport Layer Security (TLS) – and its predecessor, Secure Sockets
Layer (SSL) – are cryptographic protocols that provide
communications security over a computer network. The TLS protocol
aims primarily to provide privacy and data integrity between two
communicating computer applications.

View Slide

5
SSL
TLS

View Slide

6
TLS core features
●
encrypted transport stream
●
application protocol agnostic
●
integrity check
●
replay attack protection
●
strong authentication of server
●
strong authentication of client (optional)
●
extensible protocol

View Slide

7

View Slide

8
ssl module content
●
SSLContext (configuration)
●
CERT_*
●
VERIFY_*
●
PROTOCOL_*
●
OP_*
●
TLSVersion.*
●
create_default_context() SSLContext
→
●
SSLSocket (socket wrapper)
●
SSLObject (asyncio wrapper)

View Slide

9
Connecting to a server
>>> import socket, ssl
>>> import socket, ssl
>>> ctx = ssl.create_default_context()
>>> ctx

>>> ctx.verify_mode, ctx.check_hostname
(, True)
>>> ctx = ssl.create_default_context()
>>> ctx

>>> ctx.verify_mode, ctx.check_hostname
(, True)
>>> sock = socket.create_connection(('hamburg.python.pizza', 443))
>>> sock

>>> sock = socket.create_connection(('hamburg.python.pizza', 443))
>>> sock

>>> ssock = ctx.wrap_socket(sock, server_hostname='hamburg.python.pizza')
>>> ssock

>>> ssock = ctx.wrap_socket(sock, server_hostname='hamburg.python.pizza')
>>> ssock

View Slide

10
Connecting to a server (2)
>>> ssock.sendall(b"GET / HTTP/1.1\r\nHost:hamburg.python.pizza\r\n\r\n")
45
>>> ssock.recv(17)
b'HTTP/1.1 200 OK\r\n'
>>> ssock.sendall(b"GET / HTTP/1.1\r\nHost:hamburg.python.pizza\r\n\r\n")
45
>>> ssock.recv(17)
b'HTTP/1.1 200 OK\r\n'
>>> ssock.cipher()
('TLS_AES_256_GCM_SHA384', 'TLSv1.3', 256)
('ECDHE-RSA-AES128-GCM-SHA256', 'TLSv1.2', 128)
>>> ssock.cipher()
('TLS_AES_256_GCM_SHA384', 'TLSv1.3', 256)
('ECDHE-RSA-AES128-GCM-SHA256', 'TLSv1.2', 128)
>>> pprint(ssock.getpeercert())
{'issuer': ((('countryName', 'US'),), (('organizationName', "Let's Encrypt"),),
(('commonName', "Let's Encrypt Authority X3"),)),
'notAfter': 'Jan 23 15:13:59 2020 GMT',
'notBefore': 'Oct 25 15:13:59 2019 GMT',
'serialNumber': '04475BA2081686AAEE9701B751A5F6597107',
'subject': ((('commonName', '*.naples.python.pizza'),),),
'subjectAltName': (('DNS', '*.naples.python.pizza'), ('DNS', '*.python.pizza'), ('DNS', 'python.pizza')),
'version': 3}
'notAfter': 'Jan 23 15:13:59 2020 GMT',
'subjectAltName': (('DNS', '*.naples.python.pizza'), ('DNS', '*.python.pizza'), ('DNS', 'python.pizza')),
'version': 3}

View Slide

11
wrap_socket()
●
agree on connection parameters
●
TLS version
●
ciphers
●
virtual host (server_hostname)
●
server proofs its identity
●
X.509 certificate, private key
●
client verifies server
●
root CA certs, server_hostname
●
agree on common master secret
●
Diffie-Hellman

View Slide

12
TLS 1.2 handshake
ClientHello
Supported cipher suites
max version, client random, ...
Finish
MAC of handshake message
ChangeCipherSpec
ClientKeyChange
Diffie-Hellman server params
Finish
MAC of handshake message
ChangeCipherSpec
HTTP GET
(verify mac)
ServerHello
select cipher suite
version, server random, ...
Certificate Chain
ServerHelloDone
ServerKeyExchange
Diffie-Hellman server params
Signature

View Slide

13
Certificate types
●
trust anchors (root CA certs)
●
intermediate CA certs
●
end-entity certs
●
server
●
client
●
code signing
●
email
●
CRL/OCSP signing
●
...
root CA
self-signs
intermediate CA 1
intermediate CA 2
signs
end-entity cert
signs
signs

View Slide

14
Hostname verification
'notAfter': 'Jan 23 15:13:59 2020 GMT',
'subjectAltName': (
('DNS', '*.naples.python.pizza'),
('DNS', '*.python.pizza'),
('DNS', 'python.pizza')
),
'version': 3}
'notAfter': 'Jan 23 15:13:59 2020 GMT',
'subjectAltName': (
('DNS', '*.naples.python.pizza'),
('DNS', '*.python.pizza'),
('DNS', 'python.pizza')
),
'version': 3}

View Slide

15
Don't roll your own verification
●
CN/SAN
●
wildcards
●
internationalized domain names (IDNA)
●
> 6 bugs in Python's hostname verification code
●
CVE-2013-2099, #12000, #17997, #17305, #30141
●
Python 3.7 uses X509_VERIFY_PARAM_set1_host()
OpenSSL 1.0.2+ / LibreSSL 2.7.0

View Slide

17
Books

View Slide

THANK YOU
plus.google.com/+RedHat
youtube.com/user/RedHatVideos
facebook.com/redhatinc
twitter.com/RedHat
linkedin.com/company/red-hat

View Slide

Hamburg Python Pizza 2019: ssl module 10

Hamburg Python Pizza 2019: ssl module 10

Christian Heimes

More Decks by Christian Heimes

Other Decks in Programming

Featured

Transcript