add optional `SSL` support #46

fsagbuya · 2024-10-02T09:24:11Z

Description

Add optional SSL/TLS support with mutual authentication. SSL is enabled when certificate files are provided.

Add SSL context creation in AsyncioServer requiring both server and client certificates
Update Client, AsyncioClient, and BestEffortClient classes to support mutual SSL authentication
Modify simple_server_loop to handle certificate verification
Add SSL parameter support to sipyco_rpctool (--cert, --key, --cafile)
Add documentation for SSL setup and usage including certificate generation

Related issue:

m-labs/artiq#2577

sbourdeauducq · 2024-10-08T06:15:20Z

Needs documentation (docstring update).

sbourdeauducq · 2024-10-09T04:57:44Z

Many things missing, e.g.

support in rpctool
support in other sipyco protocols: sync_struct, logging, broadcast
documentation about how to generate certificates

sbourdeauducq · 2024-10-09T04:58:40Z

You could do the protocols one by one if you prefer, and then we merge those PRs to a separate branch first.

sbourdeauducq · 2024-10-21T07:43:53Z

This doesn't authenticate the client, does it?
The main point of having SSL is preventing unwanted users from connecting to sipyco servers.

sbourdeauducq · 2024-10-21T07:45:08Z

I think you can add a client certificate (with different SSL API calls), or just a password.

doc/index.rst

sipyco/asyncio_tools.py

doc/index.rst

sipyco/sipyco_rpctool.py

sbourdeauducq · 2024-12-17T07:22:12Z

sipyco/ssl_tools.py

+        context.load_verify_locations(peerfile)
+    else:
+        context = ssl.create_default_context(cafile=peerfile)
+        context.check_hostname = False


Is this still actually checking the server certificate? Did you test and how?

upon testing again.. it is not. A fix is having the client context as PROTOCOL_TLS_CLIENT and have load_verify_locations. Will add this to the commit.

Add some tests as well with failing cert validations.

sipyco/ssl_tools.py

sipyco/pc_rpc.py

Signed-off-by: Florian Agbuya <fa@m-labs.ph>

fsagbuya force-pushed the ssl-support branch from 40c951d to 17e530d Compare October 9, 2024 03:30

fsagbuya marked this pull request as draft October 9, 2024 06:56

fsagbuya force-pushed the ssl-support branch 2 times, most recently from 98e30d6 to 2bdae90 Compare October 9, 2024 07:58

fsagbuya marked this pull request as ready for review October 9, 2024 07:58

fsagbuya force-pushed the ssl-support branch from 2bdae90 to a94a7f3 Compare October 9, 2024 09:43

fsagbuya mentioned this pull request Oct 11, 2024

Add SSL support for other sipyco protocols #47

Open

fsagbuya force-pushed the ssl-support branch from a94a7f3 to 71fcc89 Compare October 24, 2024 09:34

fsagbuya marked this pull request as draft October 24, 2024 09:34

fsagbuya force-pushed the ssl-support branch from 71fcc89 to 0bedb74 Compare October 25, 2024 07:15

fsagbuya force-pushed the ssl-support branch from 0bedb74 to 906890f Compare November 7, 2024 03:30

sbourdeauducq reviewed Nov 7, 2024

View reviewed changes