A 16-line python application that demonstrates SSL client authentication over HTTPS. We also explain the basics of how to set up Apache to require SSL client authentication. This assumes at least Python-2.2 compiled with SSL support, and Apache with mod_ssl.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
#!/usr/bin/env python import httplib CERTFILE = '/home/robr/mycert' HOSTNAME = 'localhost' conn = httplib.HTTPSConnection( HOSTNAME, key_file = CERTFILE, cert_file = CERTFILE ) conn.putrequest('GET', '/ssltest/') conn.endheaders() response = conn.getresponse() print response.read()
"mycert" is a PEM formatted certificate file that includes both the public certificate and the private key. If you read the code, you will notice that you can keep the public and private in seperate files if you care to.
SSL authentication generally requires that you set up your own certificate authority. You want to make sure you are the only one giving out keys to your empire.
Apache needs to be set up to require SSL client authentication. In my httpd.conf file I have the following:
SSLCACertificatePath /etc/httpd/conf/ssl.crt SSLCACertificateFile /etc/httpd/conf/ssl.crt/myCA.crt SSLVerifyClient require SSLVerifyDepth 2 SSLRequireSSL
If you have SSLCACertificateFile defined elsewhere in your config file, you'll need to resolve the conflict. It seems that Apache cannot refer to more than one SSLCACertificateFile. Multiple CA certs can exist in one file, but you may not want everyone with certs from all of your accepted CAs access to all of your content.
So why use SSL client authentication? It's a convenient way to do client authentication between web-enabled applications. It's good for SOAP or XML-RPC implementations, or custom apps that communicate via HTTP/HTTPS.