{ "info": { "author": "Stefan Marsiske", "author_email": "s@ctrlc.hu", "bugtrack_url": null, "classifiers": [ "Development Status :: 4 - Beta", "Environment :: Web Environment", "License :: OSI Approved :: BSD License", "Topic :: Security :: Cryptography" ], "description": "* tlsauth\n\nThis is a simple example how to setup TLS Certificate Authentication\nfor your online services. The example is based on nginx and WSGI but\nshould work also with an FCGI backend with PHP.\n\nUsing tlsauth you can authenticate your users based on certificates\ninstead of passwords. In fact you don't have to store neither the\nusernames, their email addresses nor their nicks, it is all contained\nin the Client certificate that is stored and presented by the\nuser. You can be sure, unless your signing key is compromised, noone\nelse can create valid certificates but you. This eliminates the need\nto remember passwords and prohibits password bruteforcing. Using\nnginx, you can even display totally different content depending if an\nrequest is authenticated or not, routing unauthenticated users to\nstatic html for example while authenticated users having access to\nsome dynamic content.\n\nI don't want to scare you but this is essentially a self-signed CA, it\nprovides all the neccessary basic tools to make this hassle-free. Your\nusers only need to go through a registration procedure and then they\ncould enjoy seamless single-sign-on to all your services, never being\nasked for a password again.\n\n** CA and https service install\n*** create a \"localhost CA\" in ./root-ca\n #+BEGIN_SRC sh\n./tlsauth.py root-ca createca http://localhost/crl.pem \"Example CA\" ca@example.com\n #+END_SRC\n*** create a \"client authentication CA\" in ./sub-ca\n #+BEGIN_SRC sh\n./tlsauth.py sub-ca createca http://localhost/client-crl.pem \"hostname client CA\" email@example.com root-ca\n #+END_SRC\n*** create https server certificate\n #+BEGIN_SRC sh\n./tlsauth.py root-ca newcsr localhost root@localhost >server.key\n #+END_SRC\n*** Sign server cert with CA\n #+BEGIN_SRC sh\n./tlsauth.py sign server.pem\n #+END_SRC\n*** Remove Root CA private key\nIt is important to remove and store the root CA private key in a safe\noffline location, as it can be used to mount a MITM attack against all\nusers, who trust this key. You need this key in 1 year, when you need\nto renew your client CA certificate (per default it's only valid for\none year!)\n #+BEGIN_SRC sh\nmv root-ca/private/root.key \n #+END_SRC\n*** Setup nginx to serve\n #+BEGIN_SRC sh\nserver {\n listen 443;\n ssl on;\n server_name localhost;\n\n ssl_certificate /tlsauth/server.cert;\n ssl_certificate_key /tlsauth/server.key;\n ssl_client_certificate /tlsauth/sub-ca/public/root.pem;\n ssl_verify_client optional;\n\n location / {\n include uwsgi_params;\n uwsgi_param verified $ssl_client_verify;\n uwsgi_param dn $ssl_client_s_dn;\n if ( $ssl_client_verify = \"SUCCESS\") {\n uwsgi_pass 127.0.0.1:8080;\n }\n try_files $uri $uri/ /index.html;\n }\n}\n#+END_SRC\n don't forget to restart nginx.\n\n Now if users have a proper client cert installed the environment of\n the WSGI application will contain the variables 'verified' and 'dn'\n variables set accordingly.\n** webserver Demo\n There's a bundled demo, to try it out:\n*** set up uwsgi\n #+BEGIN_SRC sh\nedit flask-demo/tlsdemo_wsgi.py\n #+END_SRC\n*** install python dependencies\n #+BEGIN_SRC sh\nvirtualenv --distribute env\nsource env/bin/activate\npip install Flask uwsgi\n #+END_SRC\n*** run flask application\n #+BEGIN_SRC sh\nbasedir=$PWD\nenv/bin/uwsgi --socket 127.0.0.1:8080 --chdir $basedir/flask-demo -pp $basedir -w tlsdemo_wsgi -p 1 --virtualenv $basedir/env\n #+END_SRC\n** Client side setup\nHow to create a proper Client certificate.\n*** Create a client certificate\n #+BEGIN_SRC sh\n./tlsauth.py root-ca newcsr joe joe@localhost >joe.key\n #+END_SRC\n send the resulting \"user.csr\" to the CA for signing. In this case\n you are both, but in a normal case this step is done by arbitrary\n users who send this csr file during the registration process to the\n site.\n\n Store user.key away somewhere safe offline, you'll need it later\n once more.\n*** CA signs users cert signing request\n #+BEGIN_SRC sh\n./tlsauth.py root-ca sign joe.cert\n #+END_SRC\n CA sends back the signed 'user.cert\" to the sender. As a\n convenience feature also the root CA cert should be sent to the\n user, so he can import this also in his CA store.\n*** Create PKCS#12 cert for your browser\n Using the returned cert from the CA we convert it together with the\n secret key part to a PKCS#12\n #+BEGIN_SRC sh\n./tlsauth.py root-ca p12 joe.key joe.p12\n #+END_SRC\n This asks for a passphrase which is needed only once when importing\n into the browser.\n*** Import the certificates in Firefox\n 1. Using the menu open the Preferences dialog.\n 2. Select the Advanced toolbar icon\n 3. click on the \"View certificates\" button\n 4. On the \"Authorities\" tab click on the Import button and import\n the root CA cert (this must be supplied by the CA to you).\n 5. on the \"Your Certificates\" tab click on the \"Import\" button and\n load the file \"user.cert.p12\"\n\n if everything went ok the new certificate should appear under the\n \"Your Certificates\" tab\n*** Securing keys\n Store away private key in joe.key again together with the pkcs12\n cert joe.p12 in a safe offline location (maybe your backup?), if\n you reinstall your browser you want to import user.cert.p12 back\n into it again.\n\n If you now surf to https://localhost with this firefox, the flask\n application should report back your distinguished name. If you\n browse to this location with another browser which lacks this\n certificate you will probably see the default nginx installation\n html page.\n** Python usage\n see test.py\n** Changes\n*** v0.4\n Fixed dangerously exposed Root CA key, by introducing a sub CA\n only for signing the client authentication keys, and thus\n eliminating the chance for a MITM attack in case the Root CA gets\n compromised.", "description_content_type": null, "docs_url": null, "download_url": "UNKNOWN", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://pypi.python.org/pypi/tlsauth", "keywords": "crypto authentication TLS certificate x509 CA", "license": "BSD", "maintainer": null, "maintainer_email": null, "name": "tlsauth", "package_url": "https://pypi.org/project/tlsauth/", "platform": "UNKNOWN", "project_url": "https://pypi.org/project/tlsauth/", "project_urls": { "Download": "UNKNOWN", "Homepage": "https://pypi.python.org/pypi/tlsauth" }, "release_url": "https://pypi.org/project/tlsauth/0.4-1/", "requires_dist": null, "requires_python": null, "summary": "Implements TLS Authentication - simple client certificate CA inclusive", "version": "0.4-1" }, "last_serial": 826710, "releases": { "0.2": [ { "comment_text": "", "digests": { "md5": "aebeb782cc2ff2f12fe0bff01ce643a4", "sha256": "b6db59dbdaef0105252664b308690bbd79ced7fbb731b111d9d5a73b32bb8e9f" }, "downloads": -1, "filename": "tlsauth-0.2-py2.7.egg", "has_sig": true, "md5_digest": "aebeb782cc2ff2f12fe0bff01ce643a4", "packagetype": "bdist_egg", "python_version": "2.7", "requires_python": null, "size": 15994, "upload_time": "2013-03-24T16:42:33", "url": "https://files.pythonhosted.org/packages/c7/c5/1f551efe12280528a64a9ea11e3fdf65a36b4c72db2baf97eb5c132870b3/tlsauth-0.2-py2.7.egg" }, { "comment_text": "", "digests": { "md5": "e2e6cd4a2dc0864e0d6be766402f169f", "sha256": "c5fa4fb8df3978d0a2f9184909b71fc69ee9f564f54dafb0b87d4eba88747c87" }, "downloads": -1, "filename": "tlsauth-0.2.tar.gz", "has_sig": true, "md5_digest": "e2e6cd4a2dc0864e0d6be766402f169f", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 11310, "upload_time": "2013-03-24T16:42:12", "url": "https://files.pythonhosted.org/packages/55/a0/eff9e9748495dfcbf2e2c26547ba67ce053fd97afcaf477c409345338b46/tlsauth-0.2.tar.gz" } ], "0.3": [ { "comment_text": "", "digests": { "md5": "37c9a3b3f860fb736075a72815f396c7", "sha256": "cb76f71732798d6a188a9498cbc1366106ed379ecb2180737f2cb1945d56316c" }, "downloads": -1, "filename": "tlsauth-0.3-py2.7.egg", "has_sig": true, "md5_digest": "37c9a3b3f860fb736075a72815f396c7", "packagetype": "bdist_egg", "python_version": "2.7", "requires_python": null, "size": 19192, "upload_time": "2013-04-02T00:50:26", "url": "https://files.pythonhosted.org/packages/98/68/3293a22036258090b73e339319ee6df00d06203b83dbcc561af3573b7a09/tlsauth-0.3-py2.7.egg" }, { "comment_text": "", "digests": { "md5": "c16aeba24e97030381251b2a02f4658a", "sha256": "ecad03275433192c2bbbea4a0ac19d59962570c33324a62a07b112051125961a" }, "downloads": -1, "filename": "tlsauth-0.3.tar.gz", "has_sig": true, "md5_digest": "c16aeba24e97030381251b2a02f4658a", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 12349, "upload_time": "2013-04-02T00:50:12", "url": "https://files.pythonhosted.org/packages/a2/fb/030370e37814c13cbeceefa02e40bebcb261eb2eca0e025bf4310b9b0fea/tlsauth-0.3.tar.gz" } ], "0.3.1": [ { "comment_text": "", "digests": { "md5": "78d0d205212402f3d9b2e1ad069a8058", "sha256": "8b4d1266602d968f28959b80f96c5d611f101bbef42040bc4825926b450a2d6a" }, "downloads": -1, "filename": "tlsauth-0.3.1-py2.7.egg", "has_sig": true, "md5_digest": "78d0d205212402f3d9b2e1ad069a8058", "packagetype": "bdist_egg", "python_version": "2.7", "requires_python": null, "size": 19699, "upload_time": "2013-04-07T00:20:53", "url": "https://files.pythonhosted.org/packages/99/a1/0c99a71edad38d115450ec35a08336690c0ae06339c06dc6d39ab3724fbe/tlsauth-0.3.1-py2.7.egg" }, { "comment_text": "", "digests": { "md5": "917fb6c3cf1fc0536d3d0b1cddd7ebb4", "sha256": "b37e99ae13adcf989261aa3d7295b611fe1a3cd805ab1ee129627463a6c50f8d" }, "downloads": -1, "filename": "tlsauth-0.3.1.tar.gz", "has_sig": true, "md5_digest": "917fb6c3cf1fc0536d3d0b1cddd7ebb4", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 12511, "upload_time": "2013-04-07T00:20:37", "url": "https://files.pythonhosted.org/packages/d5/11/12b01b9368eac0422b665d9888b359736fa13a7241a705d2b9f035d880e6/tlsauth-0.3.1.tar.gz" } ], "0.3.1-1": [ { "comment_text": "", "digests": { "md5": "d178585f686275a68b1062cbe8ede40b", "sha256": "9f620988b24ba4356f37433ea4f70ea2cc0bac96398c7a699bf4a4429d60be59" }, "downloads": -1, "filename": "tlsauth-0.3.1-1.tar.gz", "has_sig": true, "md5_digest": "d178585f686275a68b1062cbe8ede40b", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 12553, "upload_time": "2013-04-07T00:24:22", "url": "https://files.pythonhosted.org/packages/64/36/7bd0efb30a812c694e47876e7ffd5b7f9635cc2076cd1bfcc69fdc86e410/tlsauth-0.3.1-1.tar.gz" } ], "0.3.1-2": [ { "comment_text": "", "digests": { "md5": "1b1c343714a3bbc47d5965214d890723", "sha256": "cb18cb6985f7f704db89098d998257dfaef5cfd91cc14ba43732aa19c32fcaf4" }, "downloads": -1, "filename": "tlsauth-0.3.1_2-py2.7.egg", "has_sig": true, "md5_digest": "1b1c343714a3bbc47d5965214d890723", "packagetype": "bdist_egg", "python_version": "2.7", "requires_python": null, "size": 17516, "upload_time": "2013-04-07T00:27:50", "url": "https://files.pythonhosted.org/packages/67/03/27c98ef6c70fa425388366e61ca8a072c26ea01eb34906029afabb73ca47/tlsauth-0.3.1_2-py2.7.egg" }, { "comment_text": "", "digests": { "md5": "76aecd009abb82dbc783dc89321e18b5", "sha256": "c6a8ee4df19045910bde91b6be355677e8b64d4f09892f05d9b42e025750d163" }, "downloads": -1, "filename": "tlsauth-0.3.1-2.tar.gz", "has_sig": true, "md5_digest": "76aecd009abb82dbc783dc89321e18b5", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 8415, "upload_time": "2013-04-07T00:27:38", "url": "https://files.pythonhosted.org/packages/8c/e6/c109a02e7807925503f227a8f34268c0c5f8cbf403dc0990dad6fb1cd2a6/tlsauth-0.3.1-2.tar.gz" } ], "0.3.1-3": [ { "comment_text": "", "digests": { "md5": "be721b420f49a1097d31e36d95907e6a", "sha256": "a1fa51fb82725b18627382e2e241ad996c9a0088884ce4c2c4d91eb4ed42e21a" }, "downloads": -1, "filename": "tlsauth-0.3.1-3.tar.gz", "has_sig": true, "md5_digest": "be721b420f49a1097d31e36d95907e6a", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 12562, "upload_time": "2013-04-07T00:30:36", "url": "https://files.pythonhosted.org/packages/ba/27/3bb46838171c7f9b7f8c3b986dd58280646691883ff33e4a9e77901e8190/tlsauth-0.3.1-3.tar.gz" } ], "0.3.1-4": [ { "comment_text": "", "digests": { "md5": "e22335b832bc89cc10c0bd3d0edc1931", "sha256": "6c98e509aeee4765e63a5a526813bb325aaca702b2888a10769a9203773b87b8" }, "downloads": -1, "filename": "tlsauth-0.3.1-4.tar.gz", "has_sig": true, "md5_digest": "e22335b832bc89cc10c0bd3d0edc1931", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 12956, "upload_time": "2013-04-07T00:31:17", "url": "https://files.pythonhosted.org/packages/10/4e/9dc41110bf1b02f4eb43a859dcb7e2eaef6d43511c3635cf80a789711174/tlsauth-0.3.1-4.tar.gz" } ], "0.3.1-5": [ { "comment_text": "", "digests": { "md5": "0e8d18b11bdcbd31d39ca98e33340495", "sha256": "b97c5e4ad68a9168c0ecd27faf1a231757ce1d080a7ec8d6b5f02c8978b6b4ad" }, "downloads": -1, "filename": "tlsauth-0.3.1_5-py2.7.egg", "has_sig": true, "md5_digest": "0e8d18b11bdcbd31d39ca98e33340495", "packagetype": "bdist_egg", "python_version": "2.7", "requires_python": null, "size": 19730, "upload_time": "2013-06-24T13:21:31", "url": "https://files.pythonhosted.org/packages/7b/8d/34da9f9297479016e49bed6499009bd9b7b7842ddb074c8820ceaaad0ab0/tlsauth-0.3.1_5-py2.7.egg" }, { "comment_text": "", "digests": { "md5": "b7cc4dbab503400a84dc1bf924f23fc9", "sha256": "6649267f78e8c44b6c4314c491129632f4017afafad24ce0815438ac8c1ba282" }, "downloads": -1, "filename": "tlsauth-0.3.1-5.tar.gz", "has_sig": true, "md5_digest": "b7cc4dbab503400a84dc1bf924f23fc9", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 12971, "upload_time": "2013-06-24T13:22:40", "url": "https://files.pythonhosted.org/packages/0c/c9/921c263a7d2ff3f60e4271de59e5c9d3199519d8dd5284883df5adf403f4/tlsauth-0.3.1-5.tar.gz" } ], "0.4": [ { "comment_text": "", "digests": { "md5": "8f5c9be68d7cf846a251106fe3e44d11", "sha256": "a5609d1646b546cef60e2b0d438c8da89db3f4225b87429ef3c74a3b57fb934f" }, "downloads": -1, "filename": "tlsauth-0.4.tar.gz", "has_sig": true, "md5_digest": "8f5c9be68d7cf846a251106fe3e44d11", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 12479, "upload_time": "2013-07-28T15:07:34", "url": "https://files.pythonhosted.org/packages/77/6c/87ae7ea4dd58588f49c47b5dc17017787c64936743065fbb70294edf63c0/tlsauth-0.4.tar.gz" } ], "0.4-1": [ { "comment_text": "", "digests": { "md5": "4cfda35322ba2660d7ab0ac74a12231b", "sha256": "8a73c8ad70e66a1f5dc682159d867b6e46242b6edc5410c68edf0dcdf8cb615e" }, "downloads": -1, "filename": "tlsauth-0.4_1-py2.7.egg", "has_sig": true, "md5_digest": "4cfda35322ba2660d7ab0ac74a12231b", "packagetype": "bdist_egg", "python_version": "2.7", "requires_python": null, "size": 17557, "upload_time": "2013-07-28T15:28:20", "url": "https://files.pythonhosted.org/packages/bd/b3/a2d4c87eae12c5dad0410afead99cb16c481b2e753758936782111fb5268/tlsauth-0.4_1-py2.7.egg" }, { "comment_text": "", "digests": { "md5": "ab43089afc287f299d0905fcd95c8b36", "sha256": "36b26b5ba5d0ff1b38c6863b9b487b0acba30e77e4c465a4742ed0a29c9afc76" }, "downloads": -1, "filename": "tlsauth-0.4-1.tar.gz", "has_sig": true, "md5_digest": "ab43089afc287f299d0905fcd95c8b36", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 12383, "upload_time": "2013-07-28T15:28:05", "url": "https://files.pythonhosted.org/packages/2c/34/430c1acc2fc810329979853f0c64841e20d078472fb9111f7068504aa179/tlsauth-0.4-1.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "4cfda35322ba2660d7ab0ac74a12231b", "sha256": "8a73c8ad70e66a1f5dc682159d867b6e46242b6edc5410c68edf0dcdf8cb615e" }, "downloads": -1, "filename": "tlsauth-0.4_1-py2.7.egg", "has_sig": true, "md5_digest": "4cfda35322ba2660d7ab0ac74a12231b", "packagetype": "bdist_egg", "python_version": "2.7", "requires_python": null, "size": 17557, "upload_time": "2013-07-28T15:28:20", "url": "https://files.pythonhosted.org/packages/bd/b3/a2d4c87eae12c5dad0410afead99cb16c481b2e753758936782111fb5268/tlsauth-0.4_1-py2.7.egg" }, { "comment_text": "", "digests": { "md5": "ab43089afc287f299d0905fcd95c8b36", "sha256": "36b26b5ba5d0ff1b38c6863b9b487b0acba30e77e4c465a4742ed0a29c9afc76" }, "downloads": -1, "filename": "tlsauth-0.4-1.tar.gz", "has_sig": true, "md5_digest": "ab43089afc287f299d0905fcd95c8b36", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 12383, "upload_time": "2013-07-28T15:28:05", "url": "https://files.pythonhosted.org/packages/2c/34/430c1acc2fc810329979853f0c64841e20d078472fb9111f7068504aa179/tlsauth-0.4-1.tar.gz" } ] }