You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@thrift.apache.org by "j.barrett Strausser" <j....@gmail.com> on 2016/01/24 13:54:16 UTC

Mutual Auth in Python

Does release 0.9.3 support mutual authentication in Python on version
2.7.6? By Mutual Auth I mean does the server check that the client has a
cert that has been signed by the servers PKI (cert,key)?

Looking at the source it appears that it does not?

It is supported in 0.9.4? In this commit it appears to have been introduced.
https://github.com/apache/thrift/commit/ad8358664e6aa2de9094ca68c8b626b953b572c0

In particular I'm assuming the line below is the relevant test case for
mutual auth?
https://github.com/apache/thrift/commit/ad8358664e6aa2de9094ca68c8b626b953b572c0#diff-2853875e5d5696e7082aa0e46bc206b1R186

If all the above is the case, does the server side perform hostname
verification on the client common name?  Any thoughts on how to handle that
in 2.7.6?


Thanks,

-b
-- 


https://github.com/bearrito
@deepbearrito

Re: Mutual Auth in Python

Posted by Aki Sukegawa <ns...@apache.org>.

Hi j.barrett,

Thanks for bringing this up.
Your observation is correct.
The patch only enables what is already done in standard library and does
not handle hostname verification.
I don't think it's possible for Python < 2.7.9 without modifying Thrift
code.
It's kind of a bug since it's done for server certs and without this it
only gives false sense of security.
Could you file an issue in our JIRA ?
https://issues.apache.org/jira/browse/THRIFT

If you happened to be interested in contributing, I'll definitely check out
your implementation and work for the merge.
Either way, I guess we need it before the next release.

On Sun, Jan 24, 2016 at 9:54 PM j.barrett Strausser <
j.barrett.strausser@gmail.com> wrote:

> Does release 0.9.3 support mutual authentication in Python on version
> 2.7.6? By Mutual Auth I mean does the server check that the client has a
> cert that has been signed by the servers PKI (cert,key)?
>
> Looking at the source it appears that it does not?
>
> It is supported in 0.9.4? In this commit it appears to have been
> introduced.
>
> https://github.com/apache/thrift/commit/ad8358664e6aa2de9094ca68c8b626b953b572c0
>
> In particular I'm assuming the line below is the relevant test case for
> mutual auth?
>
> https://github.com/apache/thrift/commit/ad8358664e6aa2de9094ca68c8b626b953b572c0#diff-2853875e5d5696e7082aa0e46bc206b1R186
>
> If all the above is the case, does the server side perform hostname
> verification on the client common name?  Any thoughts on how to handle that
> in 2.7.6?
>
>
> Thanks,
>
> -b
> --
>
>
> https://github.com/bearrito
> @deepbearrito
>