问题
Both the client and the server are internal, each has a certificate signed by the internal CA and the CA certificate. I need the client to authenticate the server's certificate against the CA certificate it has. It also should send its certificate to the server for authentication.
The urllib2 manual says that server authentication is not performed. PycURL is a natural alternative but its license is not approved yet. I would also prefer not having to compile the library from the source code but to use RPM instead.
I went over a bunch of libraries like requests, httplib2 and don't see what I need. There is also the ssl module but I don't feel like implementing http myself if I don't absolutely must.
Python 2.6 on RHEL 5.7
回答1:
well, the winner (almost) is httplib2 v0.7. Starting from this version it supports SSL certificate authentication. Here's the sample code
import httplib2
client = httplib2.Http(ca_certs='ca.crt')
client.add_certificate(key='client_private_key.pem', cert='cert_client.pem', domain='')
headers, resp = client.request(query)
Note the domain='' parameter, it didn't work for me otherwise.
PS. unfortunately this simple solution does not work for me as I forgot to mention additional requirement - having RPM installation for RHEL 5.7 & Python 2.6.
回答2:
Twisted Python is a library that may do what you need although I'm not sure if the MIT license fits what you want. GPL is a pretty specific license and hopefully you didn't mean "all open source licenses."
For SSL examples, see http://twistedmatrix.com/documents/current/core/howto/ssl.html. The last couple examples on that page are particularly relevant based on your description. Twisted uses PyOpenSSL (docs) which is licensed with the Apache license. You might consider using PyOpenSSL directly as well.
回答3:
Update: If requests didn't support client-side certificates before, it supports it now, provided the local cert's private key (if any) is unencrypted:
>>> requests.get('https://FOO.BAR.BAZ/', cert=('/path/client.cert', '/path/client.key'))
<Response [200]>
来源:https://stackoverflow.com/questions/9093289/how-to-create-a-dual-authentication-https-client-in-python-without-lgpl-libs