homepage

This patch adds support for TLS-SRP (RFC 5054[1]) to Python ssl.SSLSocket, _ssl.c, http, and urllib. TLS-SRP lets a client and server establish a mutually authenticated SSL channel using only a username and password (a certificate may also be used to supplement authentication).
TLS-SRP is supported in GnuTLS, OpenSSL 1.0.1 (soon to be released), cURL, TLSLite (a Python module), and mod_gnutls. There are also patches for Chrome, NSS, mod_ssl, Django, Firefox, WordPress, and SJCL (see [2]). Much of the
growing interest in TLS-SRP is because a couple key PAKE patents expired recently. Also, CAs are perceived as more vulnerable now than a few years ago, and in certain cases TLS-SRP is a good substitute for or supplement to certificate auth. Two Python-specific use cases for TLS-SRP are calling HTTP APIs that require auth, and test suites written in Python for networked software (e.g., Chromium uses TLSLite for network testing).
I'm submitting this patch now to begin gathering feedback.
###########################################################
EXAMPLE USAGE
###########################################################
import urllib.request
res = urllib.request.urlopen("https://tls-srp.test.trustedhttp.org/"
 tls_username='jsmith', tls_password='abc')
print(res.read())
# => "user: jsmith"
###########################################################
import ssl, http
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
context.set_tls_username_password('jsmith', 'abc')
h = http.client.HTTPSConnection('tls-srp.test.trustedhttp.org', 443, context=context)
h.request('GET', '/')
resp = h.getresponse()
print(resp.status)
# => 200
print(resp.read())
# => "user: jsmith"
###########################################################
import socket, ssl
with socket.socket() as sock:
 s = ssl.wrap_socket(sock,
 ssl_version=ssl.PROTOCOL_TLSv1,
 ciphers='SRP',
 tls_username='jsmith',
 tls_password='abc')
 s.connect(('tls-srp.test.trustedhttp.org', 443))
 s.write(b"GET / HTTP/1.0\n\n")
 print(s.read())
###########################################################
[1] http://tools.ietf.org/html/rfc5054
[2] http://trustedhttp.org/
[3] http://trustedhttp.org/wiki/TLS-SRP_in_Python 

The idea seems interesting. I will check the RFC ASAP. The patch should include documentation updates, though. You can update the issue number in the NEWS file, also.
Do you plan to complete the sections marked as "TODO"? 
PS: The mercurial repository URL you are linking has an unnedeed username, and firefox complains about it.

Also, I will not invest too much time on this until OpenSSL 1.0.1 is released, with support for this.

Thanks for checking this out. Yes, this should wait for OpenSSL 1.0.1.
I will fix the TODO. It is there because the current TLS-SRP patch to OpenSSL uses old (pre-RFC 5054) TLS alert values for when the SRP username isn't in the Client Hello. I'm preparing another patch to OpenSSL to fix these, and then I'll update this patch.
I'll also include docs.

Thanks for the patch. Some preliminary comments:
- the OpenSSL functions you are using (SSL_get_srp_username etc.) don't seem documented on openssl.org; this makes it harder to do a proper review
- no need to fill Misc/ACKS and Misc/NEWS by yourself, we can take care of that
- what is an "SRP vbase"? is it something standardized, or OpenSSL-specific?
- if server-side support needs a callback, I think it would be better to let users write their callback in Python, rather than force a hardwired implementation
- ssl.wrap_socket() is the legacy API, I would rather add new features only to the SSLContext API

I have updated the patch in hg to address the sections marked "TODO" (after I submitted a patch to OpenSSL that they depended on). I'll resubmit a patch here in a ~week addressing that issue and those below, to continue pushing this issue along.
pitrou: Thanks for your feedback.
> - the OpenSSL functions you are using (SSL_get_srp_username etc.) don't seem documented on openssl.org; this makes it harder to do a proper review
Yes...I'll submit some docs to OpenSSL on these functions.
> - what is an "SRP vbase"? is it something standardized, or OpenSSL-specific?
> - if server-side support needs a callback, I think it would be better to let users write their callback in Python, rather than force a hardwired implementation
An SRP "vbase" is OpenSSL's name for the SRP password (verifier) database. I will generalize this interface so that Python callbacks can be provided (in addition to using an OpenSSL verifier database).
> - no need to fill Misc/ACKS and Misc/NEWS by yourself, we can take care of that
> - ssl.wrap_socket() is the legacy API, I would rather add new features only to the SSLContext API
Got it.

Quinn, are you planning to work on an updated patch?

Ping!.

2012年9月10日 Jesús Cea Avión <report@bugs.python.org>:
>
> Ping!.
Guess, it is still for 3.4.

Yes, 3.4.
I would hate to rush, in two years, because this issue was neglected during 18 months :)
No reason for not starting now.

Le mardi 11 septembre 2012 à 13:52 +0000, Jesús Cea Avión a écrit :
> No reason for not starting now.
There's no point in being pushy, though. If you want to "start", the
best thing is to work on the patch and update it.

This feature request has been idle for five years. Although TLS-SRP is nice to have, it is not a priority for protocols such as HTTPS. I neither have time nor motivation to create a patch myself. Therefore I'm closing this issue of lack of activity. Please feel free to re-open it with a patch against 3.7.