[Twisted-Python] SSL + AMP

[Brian Warner]

On Wed, 19 Mar 2008 20:14:09 -0600
Nathan <nathan.stocks at gmail.com> wrote:

> The security properties that I want are:
> 
> 1) My client and my server refuse to establish SSL (or any other type
> of) connections with anybody but each other.
> 2) My client and server do establish SSL connections with each other.

For reference, this is almost exactly what Foolscap does. The server
registers an object and gets back a "FURL" which contains two cryptographic
values: the hash of the SSL certificate, and the per-object secret. You give
this FURL to the client by some out-of-band means (paste it into a config
file, perhaps). Then the client connects to the server over SSL, verifies the
certificate hash, sends the secret, and gets back a reference to the object.

The client will refuse to use any connection that has a different SSL
certificate. It will also refuse to use a non-SSL connection.

The part where the capability-oriented Foolscap model differs from your
stated properties is that the server makes no attempt to distinguish between
various clients. Any client which knows the FURL will be granted access to
the object that you've registered. To accomplish both of your goals, simply
don't reveal the FURL to anyone but your desired client. Unauthorized clients
will be able to make an SSL connection to the server but they won't know the
object secret and will be unable to access the object.

If you use Foolscap, you'll be working with objects and remote method calls,
rather than the single-endpoint model that AMP uses. This may be more
flexibility than you really need, but if you only publish one object and
always call a single method (perhaps called 'dispatch'), then you can program
in the same style. Of course, when you want to use multiple objects, pass
arbitrary reference graphs in arguments and responses, or allow third-party
introductions, Foolscap will be ready for you :).

http://foolscap.lothar.com/trac


cheers,
 -Brian