#!/usr/bin/env python3# Foundations of Python Network Programming, Third Editio

1. #!/usr/bin/env python3
2. # Foundations of Python Network Programming, Third Edition
3. # https://github.com/brandon-rhodes/fopnp/blob/m/py3/chapter06/safe_tls.py
4. # Simple TLS client and server using safe configuration defaults
5.  
6. import argparse, socket, ssl
7.  
8. def client(host, port, cafile=None):
9. purpose = ssl.Purpose.SERVER_AUTH
10. context = ssl.create_default_context(purpose, cafile=cafile)
11.  
12. raw_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
13. raw_sock.connect((host, port))
14. print('Connected to host {!r} and port {}'.format(host, port))
15. ssl_sock = context.wrap_socket(raw_sock, server_hostname=host)
16.  
17. while True:
18. data = ssl_sock.recv(1024)
19. if not data:
20. break
21. print(repr(data))
22.  
23. def server(host, port, certfile, cafile=None):
24. purpose = ssl.Purpose.CLIENT_AUTH
25. context = ssl.create_default_context(purpose, cafile=cafile)
26. context.load_cert_chain(certfile)
27.  
28. listener = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
29. listener.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
30. listener.bind((host, port))
31. listener.listen(1)
32. print('Listening at interface {!r} and port {}'.format(host, port))
33. raw_sock, address = listener.accept()
34. print('Connection from host {!r} and port {}'.format(*address))
35. ssl_sock = context.wrap_socket(raw_sock, server_side=True)
36.  
37. ssl_sock.sendall('Simple is better than complex.'.encode('ascii'))
38. ssl_sock.close()
39.  
40. if __name__ == '__main__':
41. parser = argparse.ArgumentParser(description='Safe TLS client and server')
42. parser.add_argument('host', help='hostname or IP address')
43. parser.add_argument('port', type=int, help='TCP port number')
44. parser.add_argument('-a', metavar='cafile', default=None,
45. help='authority: path to CA certificate PEM file')
46. parser.add_argument('-s', metavar='certfile', default=None,
47. help='run as server: path to server PEM file')
48. args = parser.parse_args()
49. if args.s:
50. server(args.host, args.port, args.s, args.a)
51. else:
52. client(args.host, args.port, args.a)
53.  
54. python safe_tls.py -s localhost.pem '' 1060
55.  
56. python safe_tls.py -a ca.crt localhost 1060
57.  
58. Listening at interface '' and port 1060
59. Connection from host '127.0.0.1' and port 35148
60. Traceback (most recent call last):
61. File "safe_tls.py", line 50, in <module>
62. server(args.host, args.port, args.s, args.a)
63. File "safe_tls.py", line 35, in server
64. ssl_sock = context.wrap_socket(raw_sock, server_side=True)
65. File "/usr/lib/python3.6/ssl.py", line 407, in wrap_socket
66. _context=self, _session=session)
67. File "/usr/lib/python3.6/ssl.py", line 814, in __init__
68. self.do_handshake()
69. File "/usr/lib/python3.6/ssl.py", line 1068, in do_handshake
70. self._sslobj.do_handshake()
71. File "/usr/lib/python3.6/ssl.py", line 689, in do_handshake
72. self._sslobj.do_handshake()
73. ssl.SSLError: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:833)
74.  
75. Connected to host 'localhost' and port 1060
76. Traceback (most recent call last):
77. File "safe_tls.py", line 52, in <module>
78. client(args.host, args.port, args.a)
79. File "safe_tls.py", line 15, in client
80. ssl_sock = context.wrap_socket(raw_sock, server_hostname=host)
81. File "/usr/lib/python3.6/ssl.py", line 407, in wrap_socket
82. _context=self, _session=session)
83. File "/usr/lib/python3.6/ssl.py", line 814, in __init__
84. self.do_handshake()
85. File "/usr/lib/python3.6/ssl.py", line 1068, in do_handshake
86. self._sslobj.do_handshake()
87. File "/usr/lib/python3.6/ssl.py", line 689, in do_handshake
88. self._sslobj.do_handshake()
89. ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:833)