How to create a dual-authentication HTTPS client in Python without (L)GPL libs?

Question

Both the client and the server are internal, each has a certificate signed by the internal CA and the CA certificate. I need the client to authenticate the server's certificate against the CA certificate it has. It also should send its certificate to the server for authentication.

The urllib2 manual says that server authentication is not performed. PycURL is a natural alternative but its license is not approved yet. I would also prefer not having to compile the library from the source code but to use RPM instead.

I went over a bunch of libraries like requests, httplib2 and don't see what I need. There is also the ssl module but I don't feel like implementing http myself if I don't absolutely must.

Python 2.6 on RHEL 5.7

Answer 1

well, the winner (almost) is httplib2 v0.7. Starting from this version it supports SSL certificate authentication. Here's the sample code

import httplib2
client = httplib2.Http(ca_certs='ca.crt')
client.add_certificate(key='client_private_key.pem', cert='cert_client.pem', domain='')
headers, resp = client.request(query)

Note the domain='' parameter, it didn't work for me otherwise.

PS. unfortunately this simple solution does not work for me as I forgot to mention additional requirement - having RPM installation for RHEL 5.7 & Python 2.6.

Answer 2

Twisted Python is a library that may do what you need although I'm not sure if the MIT license fits what you want. GPL is a pretty specific license and hopefully you didn't mean "all open source licenses."

For SSL examples, see http://twistedmatrix.com/documents/current/core/howto/ssl.html. The last couple examples on that page are particularly relevant based on your description. Twisted uses PyOpenSSL (docs) which is licensed with the Apache license. You might consider using PyOpenSSL directly as well.