Setting up an https server with SimpleHTTPServer and ssl.wrap_socket (): X509 certificate is not read

[jpmaterial]

I tried setting up an https server as described here: http://www.piware.de/2011/01/creating-an-https-server-in-python/comment-page-1/#comment-507199

import BaseHTTPServer, SimpleHTTPServer
import ssl

httpd = BaseHTTPServer.HTTPServer(('localhost', 4443), SimpleHTTPServer.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket (httpd.socket, certfile='path/to/localhost.pem', server_side=True)
httpd.serve_forever()

The problem: Upon receiving a request, the server throws an error: "The server mode SSL must use a certificate with the associated private key." According to google/stackoverflow, this problem is solved by using class X509Certificate2 instead of X509Certificate.

http://stackoverflow.com/questions/23044914/c-sharp-ssl-server-mode-must-use-a-certificate-with-the-corresponding-private-ke
http://stackoverflow.com/questions/14214396/how-to-create-a-certificate-to-use-with-sslstream-authenticateasserver-without-i

I tried key and certificate in the same and in different files:

openssl req -new -x509 -keyout webdav_config_both.pem -out webdav_config_both.pem -days 3650 -nodes
openssl req -new -x509 -keyout webdav_config_key.pem -out webdav_config.pem -days 3650 -nodes

And corresponding variants of the wrap_socket() call:

httpd.socket = ssl.wrap_socket (httpd.socket, keyfile='webdav_config_key.pem', certfile='webdav_config.pem', server_side=True, ssl_version=ssl.PROTOCOL_TLSv1 )
httpd.socket = ssl.wrap_socket (httpd.socket, keyfile='webdav_config_both.pem', certfile='webdav_config_both.pem', server_side=True, ssl_version=ssl.PROTOCOL_TLSv1 )

[jpmaterial]

Okay, I got past this issue. The problem is that IronPython understands exactly one format for certificates (PEM-encoded x509) and one for private keys (DER-encoded PKCS#1) - refert to https://github.com/IronLanguages/main/blob/ipy-2.7-maint/Languages/IronPython/IronPython.Modules/_ssl.cs . To generate these files, do

openssl req -outform PEM -new -x509 -keyout webdav_config_5_key.pem -out webdav_config_5_cert.pem -days 3650 -nodes -newkey rsa:2048 -keyform PEM
openssl rsa -inform PEM -in webdav_config_5_key.pem -out webdav_config_2_key.rsa
type webdav_config_5_cert.pem webdav_config_5_key.rsa > webdav_config_5_both

In Python, do
httpd.socket = ssl.wrap_socket (httpd.socket, certfile='webdav_config_5_both', server_side=True)

If you supply these formats, they can be read, but you'll get another error: "the credentials supplied to the package were not recognized"

This seems to be due to the fact the the certificate and key need to be in Windows' certificate store and of course Windows can import neither PEM-encoded x509 keys nor DER-encoded PKCS#1 keys...

So I'm IMHO left with these choices:

1. Produce the key in yet another format for Windows to import
2. Re-implement the certificate-and-key-parsing function ReadCertificate() from _ssl.cs in Python (because that is of course private) and import the certificate programmatically

[slide]

Do you have a proposed solution to the problem?

[jpmaterial]

Extend ssl.wrap_socket() / ssl.SSLSocket / _ssl.wrap_socket() such that certificates and keys from the Windows Certificate Store can be used. This seems to required anyways further down the road.

[slide]

I have code to load the certs from the windows store now. I need to retest this scenario still.

[slide]

This issue was moved to IronLanguages/ironpython2#100