Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hamburg Python Pizza 2019: ssl module 10

Hamburg Python Pizza 2019: ssl module 10

Christian Heimes

November 09, 2019
Tweet

More Decks by Christian Heimes

Other Decks in Programming

Transcript

  1. ssl module 101
    Python Pizza 2019 / Hamburg
    Christian Heimes
    Principal Software Engineer
    [email protected] / [email protected]
    @ChristianHeimes

    View Slide

  2. ssl module 101, Python Pizza Hamburg 2019, @ChristianHeimes, CC BY-SA 4.0
    2
    Who am I?

    Python core developer since 2008

    maintainer of ssl and hashlib module

    Python security team

    Red Hat Security Engineering

    FreeIPA Identity Management

    Dogtag PKI

    from Hamburg

    View Slide

  3. ssl module 101, Python Pizza Hamburg 2019, @ChristianHeimes, CC BY-SA 4.0
    3

    View Slide

  4. ssl module 101, Python Pizza Hamburg 2019, @ChristianHeimes, CC BY-SA 4.0
    4
    Wikipedia definition
    Transport Layer Security (TLS) – and its predecessor, Secure Sockets
    Layer (SSL) – are cryptographic protocols that provide
    communications security over a computer network. The TLS protocol
    aims primarily to provide privacy and data integrity between two
    communicating computer applications.

    View Slide

  5. ssl module 101, Python Pizza Hamburg 2019, @ChristianHeimes, CC BY-SA 4.0
    5
    SSL
    TLS

    View Slide

  6. ssl module 101, Python Pizza Hamburg 2019, @ChristianHeimes, CC BY-SA 4.0
    6
    TLS core features

    encrypted transport stream

    application protocol agnostic

    integrity check

    replay attack protection

    strong authentication of server

    strong authentication of client (optional)

    extensible protocol

    View Slide

  7. ssl module 101, Python Pizza Hamburg 2019, @ChristianHeimes, CC BY-SA 4.0
    7

    View Slide

  8. ssl module 101, Python Pizza Hamburg 2019, @ChristianHeimes, CC BY-SA 4.0
    8
    ssl module content

    SSLContext (configuration)

    CERT_*

    VERIFY_*

    PROTOCOL_*

    OP_*

    TLSVersion.*

    create_default_context() SSLContext


    SSLSocket (socket wrapper)

    SSLObject (asyncio wrapper)

    View Slide

  9. ssl module 101, Python Pizza Hamburg 2019, @ChristianHeimes, CC BY-SA 4.0
    9
    Connecting to a server
    >>> import socket, ssl
    >>> import socket, ssl
    >>> ctx = ssl.create_default_context()
    >>> ctx

    >>> ctx.verify_mode, ctx.check_hostname
    (, True)
    >>> ctx = ssl.create_default_context()
    >>> ctx

    >>> ctx.verify_mode, ctx.check_hostname
    (, True)
    >>> sock = socket.create_connection(('hamburg.python.pizza', 443))
    >>> sock

    >>> sock = socket.create_connection(('hamburg.python.pizza', 443))
    >>> sock

    >>> ssock = ctx.wrap_socket(sock, server_hostname='hamburg.python.pizza')
    >>> ssock

    >>> ssock = ctx.wrap_socket(sock, server_hostname='hamburg.python.pizza')
    >>> ssock

    View Slide

  10. ssl module 101, Python Pizza Hamburg 2019, @ChristianHeimes, CC BY-SA 4.0
    10
    Connecting to a server (2)
    >>> ssock.sendall(b"GET / HTTP/1.1\r\nHost:hamburg.python.pizza\r\n\r\n")
    45
    >>> ssock.recv(17)
    b'HTTP/1.1 200 OK\r\n'
    >>> ssock.sendall(b"GET / HTTP/1.1\r\nHost:hamburg.python.pizza\r\n\r\n")
    45
    >>> ssock.recv(17)
    b'HTTP/1.1 200 OK\r\n'
    >>> ssock.cipher()
    ('TLS_AES_256_GCM_SHA384', 'TLSv1.3', 256)
    ('ECDHE-RSA-AES128-GCM-SHA256', 'TLSv1.2', 128)
    >>> ssock.cipher()
    ('TLS_AES_256_GCM_SHA384', 'TLSv1.3', 256)
    ('ECDHE-RSA-AES128-GCM-SHA256', 'TLSv1.2', 128)
    >>> pprint(ssock.getpeercert())
    {'issuer': ((('countryName', 'US'),), (('organizationName', "Let's Encrypt"),),
    (('commonName', "Let's Encrypt Authority X3"),)),
    'notAfter': 'Jan 23 15:13:59 2020 GMT',
    'notBefore': 'Oct 25 15:13:59 2019 GMT',
    'serialNumber': '04475BA2081686AAEE9701B751A5F6597107',
    'subject': ((('commonName', '*.naples.python.pizza'),),),
    'subjectAltName': (('DNS', '*.naples.python.pizza'), ('DNS', '*.python.pizza'), ('DNS', 'python.pizza')),
    'version': 3}
    >>> pprint(ssock.getpeercert())
    {'issuer': ((('countryName', 'US'),), (('organizationName', "Let's Encrypt"),),
    (('commonName', "Let's Encrypt Authority X3"),)),
    'notAfter': 'Jan 23 15:13:59 2020 GMT',
    'notBefore': 'Oct 25 15:13:59 2019 GMT',
    'serialNumber': '04475BA2081686AAEE9701B751A5F6597107',
    'subject': ((('commonName', '*.naples.python.pizza'),),),
    'subjectAltName': (('DNS', '*.naples.python.pizza'), ('DNS', '*.python.pizza'), ('DNS', 'python.pizza')),
    'version': 3}

    View Slide

  11. ssl module 101, Python Pizza Hamburg 2019, @ChristianHeimes, CC BY-SA 4.0
    11
    wrap_socket()

    agree on connection parameters

    TLS version

    ciphers

    virtual host (server_hostname)

    server proofs its identity

    X.509 certificate, private key

    client verifies server

    root CA certs, server_hostname

    agree on common master secret

    Diffie-Hellman

    View Slide

  12. ssl module 101, Python Pizza Hamburg 2019, @ChristianHeimes, CC BY-SA 4.0
    12
    TLS 1.2 handshake
    ClientHello
    Supported cipher suites
    max version, client random, ...
    Finish
    MAC of handshake message
    ChangeCipherSpec
    ClientKeyChange
    Diffie-Hellman server params
    Finish
    MAC of handshake message
    ChangeCipherSpec
    HTTP GET
    (verify mac)
    ServerHello
    select cipher suite
    version, server random, ...
    Certificate Chain
    ServerHelloDone
    ServerKeyExchange
    Diffie-Hellman server params
    Signature

    View Slide

  13. ssl module 101, Python Pizza Hamburg 2019, @ChristianHeimes, CC BY-SA 4.0
    13
    Certificate types

    trust anchors (root CA certs)

    intermediate CA certs

    end-entity certs

    server

    client

    code signing

    email

    CRL/OCSP signing

    ...
    root CA
    self-signs
    intermediate CA 1
    intermediate CA 2
    signs
    end-entity cert
    signs
    signs

    View Slide

  14. ssl module 101, Python Pizza Hamburg 2019, @ChristianHeimes, CC BY-SA 4.0
    14
    Hostname verification
    >>> pprint(ssock.getpeercert())
    {'issuer': ((('countryName', 'US'),), (('organizationName', "Let's Encrypt"),),
    (('commonName', "Let's Encrypt Authority X3"),)),
    'notAfter': 'Jan 23 15:13:59 2020 GMT',
    'notBefore': 'Oct 25 15:13:59 2019 GMT',
    'serialNumber': '04475BA2081686AAEE9701B751A5F6597107',
    'subject': ((('commonName', '*.naples.python.pizza'),),),
    'subjectAltName': (
    ('DNS', '*.naples.python.pizza'),
    ('DNS', '*.python.pizza'),
    ('DNS', 'python.pizza')
    ),
    'version': 3}
    >>> pprint(ssock.getpeercert())
    {'issuer': ((('countryName', 'US'),), (('organizationName', "Let's Encrypt"),),
    (('commonName', "Let's Encrypt Authority X3"),)),
    'notAfter': 'Jan 23 15:13:59 2020 GMT',
    'notBefore': 'Oct 25 15:13:59 2019 GMT',
    'serialNumber': '04475BA2081686AAEE9701B751A5F6597107',
    'subject': ((('commonName', '*.naples.python.pizza'),),),
    'subjectAltName': (
    ('DNS', '*.naples.python.pizza'),
    ('DNS', '*.python.pizza'),
    ('DNS', 'python.pizza')
    ),
    'version': 3}

    View Slide

  15. ssl module 101, Python Pizza Hamburg 2019, @ChristianHeimes, CC BY-SA 4.0
    15
    Don't roll your own verification

    CN/SAN

    wildcards

    internationalized domain names (IDNA)

    > 6 bugs in Python's hostname verification code

    CVE-2013-2099, #12000, #17997, #17305, #30141

    Python 3.7 uses X509_VERIFY_PARAM_set1_host()
    OpenSSL 1.0.2+ / LibreSSL 2.7.0

    View Slide

  16. ssl module 101, Python Pizza Hamburg 2019, @ChristianHeimes, CC BY-SA 4.0
    17
    Books

    View Slide

  17. THANK YOU
    plus.google.com/+RedHat
    youtube.com/user/RedHatVideos
    facebook.com/redhatinc
    twitter.com/RedHat
    linkedin.com/company/red-hat

    View Slide