rbit / pydtls Goto Github PK
View Code? Open in Web Editor NEWDatagram Transport Layer Security for Python
License: Apache License 2.0
Datagram Transport Layer Security for Python
License: Apache License 2.0
I have a question regarding NAT traversal, and specifically with long running connections. In these cases the STUN will timeout, leading to a new packet from client to server to appear to be coming from a new source port.
We tried out some tests with a rigged client which made it possible to exchange the datagram socket for a new one. so what happens is this:
client makes a DTLS socket to the server, server accepts a fresh DTLS socket
then we exchange the datagram socket in the client for a new one (so new source port), and we send a new packet to the server.
In this case, it looks like the server seems to accept a new TLS socket, but does not do a new handshake.
I would expect that the packet would be steered towards the original TLS socket.
This is obviously only a crude test to reproduce the issue. With a real setup we've also seen that not only the source port changes, but also the source IP could change due to load balancing NAT gateway.
I tried running the simple_client.py test that's available in the package and I get the following traceback:
DEBUG:dtls.sslconnection:Initiating handshake...
DEBUG:dtls.openssl:SSL error raised: ssl_error: 5, result: -1, errqueue: [], func_name: SSL_do_handshake
DEBUG:dtls.sslconnection:Freeing SSL: 98835056
DEBUG:dtls.sslconnection:Freeing SSL CTX: 92355984
Traceback (most recent call last):
File "C:\Python27\Lib\site-packages\dtls\test\simple_client.py", line 11, in
sock.connect(('localhost', 28000))
File "C:\Python27\lib\ssl.py", line 876, in connect
self._real_connect(addr, False)
File "C:\Python27\lib\site-packages\dtls\patch.py", line 272, in _SSLSocket_real_connect
raise e
ssl.SSLError: 505: The peer address is not reachable(5, [], -1, <CFunctionType object at 0x0000000005F83118>, (<dtls.openssl.SSL object at 0x0000000005F93470>,))
Any explanation?
Thanks in advance!
Hi I am new to this library and SSL in general, apologize in advance. I've been trying to create a server using pydtls that will support PSK. I have a client that tries to establish a PSK connection, but whenever it tries to talk to my server, i just get an error of ssl3_get_client_hello:no shared cipher. How can i do this?
I have an existing client that uses Pydtls and establishes a connection with a server already using PSK so I assumed I should be able to make my own Server that can take connections using PSK cipher.
I am receiving the following error message when trying to install using pip:
# pip install Dtls
Collecting Dtls
Using cached Dtls-1.2.0.tar.gz
Complete output from command python setup.py egg_info:
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/tmp/pip-build-XmO1Kb/Dtls/setup.py", line 53, in <module>
long_description = open("README.md").read()
IOError: [Errno 2] No such file or directory: 'README.md'
As far as I can tell, it looks like a packaging issue.
Also, this might be related, the install command encounters an error message:
# python setup.py install
running install
...
error: can't copy 'dtls_package_files': doesn't exist or not a regular file
pydtls currently does not support Python 3.
I've tried the trivial porting steps of running 2to3, and replaced a few str/bytes changes, but the largest chunk of work seems to be in dtls/patch.py where pydtls is accessing socket internals that changed (eg. _sock, but even if that was Python 2 idiom for accessing the fileno, changing socket(_sock=other._sock)
to socket(fileno=other.fileno())
didn't get me far on the test suite).
Please consider adding support for current Python versions.
Trying to run the unit.py script directly results in a failure due to dtls import not being found, either the PATH needs adapting before the dtls import, or a relative import used, or another solution sought.
Quick fix example for unit.py line 24, just before the dtls import statement:
for p in ('../../',):
sys.path.insert(0,os.path.normpath(os.path.join(os.path.dirname(__file__), p)))
Hello!
For some reason I cannot install this via pip3:
Collecting Dtls Downloading https://files.pythonhosted.org/packages/06/bb/dcd7fd37b109b7b63d9fec5c5a25f5842e699e864a0c10ca8448c6bb1f04/Dtls-1.2.0.tar.gz (79kB) 100% |████████████████████████████████| 81kB 1.2MB/s Complete output from command python setup.py egg_info: Traceback (most recent call last): File "<string>", line 1, in <module> File "/tmp/pip-build-wclkc1_6/Dtls/setup.py", line 53, in <module> long_description = open("README.md").read() FileNotFoundError: [Errno 2] No such file or directory: 'README.md'
Mebus
as released this program only works on Windows or Linux (as advertised). It takes only a minor tweak to make it compatible with recent (>=10.7) version of OSX:
openssl.py: libcrypto = CDLL("libcrypto.0.9.8.dylib")
openssl.py: libssl = CDLL("libssl.0.9.8.dylib")
i.e. simply substituting some ssl library names. The resultant OSX-friendly DTLS client behavior works perfectly with an independent GNUTLS-flavored DTLS server written in C.
DTLS 1.2 in RFC 6347 recommends that the DTLS implementation expose to the application layer the effective application data MTU given the record/ciphersuite overhead. The openssl function to do this is DTLS_get_data_mtu which is not currently part of the this API.
I do see API for the application to hint to openssl what the underlayer network PMTU is.
Hi,
I want to know if this library can be used in my project for emulating the Hue Entertainment future. My project is build in Python 3 and the requirements for Hue Entertainment are these:
DTLS Handshaking
UDP port 2100 is used for DTLS handshaking and streaming. Only DTLS mode version 1.2 with Pre-Shared Key (PSK) Key exchange method with TLS_PSK_WITH_AES_128_GCM_SHA256 set as Cipher Suite is supported.
Thanks.
Hi,
I'd like to know if it would be possible to make this library work for MicroPython devices (namely PyCom devices). I tried to adapt the code but the use of certain libraries (types and weakref for instance) seem to be difficult to do without.
Could you please help me, either by telling me if a port in MicroPython exists or how could it be done?
I've searched the web for a while but came empty handed on that matter.
Thanks in advance.
I have installed "pip install Dtls" in my raspberry pi3.
Now the problem is:
Problem:
Note: Looks like, pyDTLS that installed libssl.1.0.0 which does not have "DTLS_server_method".
May be it is required to install libssl.1.0.2 from pyDtls itself. How to do this ?
I am getting following error while trying to use your DTLS method for my test_secure.py COAP method.
Traceback (most recent call last):
File "test_secure.py", line 23, in
from dtls.wrapper import wrap_server, wrap_client
File "/usr/local/lib/python2.7/dist-packages/dtls/init.py", line 63, in
from patch import do_patch
File "/usr/local/lib/python2.7/dist-packages/dtls/patch.py", line 44, in
from sslconnection import SSLConnection, PROTOCOL_DTLS, PROTOCOL_DTLSv1, PROTOCOL_DTLSv1_2
File "/usr/local/lib/python2.7/dist-packages/dtls/sslconnection.py", line 60, in
from x509 import _X509, decode_cert
File "/usr/local/lib/python2.7/dist-packages/dtls/x509.py", line 34, in
from openssl import *
File "/usr/local/lib/python2.7/dist-packages/dtls/openssl.py", line 811, in
((c_char_p, "ret"), (c_int, "nid")), True, None),
File "/usr/local/lib/python2.7/dist-packages/dtls/openssl.py", line 642, in
map(lambda x: _make_function(*x), (
File "/usr/local/lib/python2.7/dist-packages/dtls/openssl.py", line 562, in _make_function
for i in args[1:]))
AttributeError: /usr/lib/arm-linux-gnueabihf/libssl.so.1.0.0: undefined symbol: DTLS_server_method
Since I cannot get pydtls to work from the provided binary (due to the inability to dlopen libcrypto) I tried the --no-binary
option, which is facing two problems:
Collecting dtls (from -r src/assets/requirements.txt (line 26))
Downloading Dtls-1.2.0.tar.gz (79kB)
100% |████████████████████████████████| 81kB 2.3MB/s
Complete output from command python setup.py egg_info:
Traceback (most recent call last):
File "", line 1, in
File "/private/var/folders/8f/ch8vbtq93ldfc4vksdp5cw540000gn/T/pip-build-lHgm4v/dtls/setup.py", line 53, in
long_description = open("README.md").read()
IOError: [Errno 2] No such file or directory: 'README.md'
Support for draft dtls-1.3
As the title says, add pydtls to the Python Package Index for easy installation.
https://packaging.python.org/distributing/#uploading-your-project-to-pypi
Havn't done it myself yet, but doesn't look to complicated.
Just an idea.
The quest for DTLS support for CoAP led me to find that the needed CCM cipher suites are only supported in OpenSSL 1.1, while pydtls currently imports libssl 1.0.0.
I've tried raising the version, and many changes are rather straight forward (function renames done in C with macros, eg. SSL_library_init to OPENSSL_init_ssl, SSLeay to OpenSSL_version_num); technically, that's just replacing, though the question which of them should be compatibility wrappers in Python depends on how much the openssl module is considered external APi by pydtls. Some functions around threading vanished, I just commented them out to get quick results.
After that, I'm still stuck with my scn = SSLConnection(sock, server_side=False, ciphers="PSK-AES128-CCM")
raising "no ciphers available", but at least one cause of why it can't work is eliminated.
It seems it comes from Release 1.2.2
pydtls-master# python setup.py
Traceback (most recent call last):
File "setup.py", line 55, in <module>
long_description = open("README.rst").read()
FileNotFoundError: [Errno 2] No such file or directory: 'README.rst'
Hi,
I'm looking for an easy-to-use DTLS solution that works on windows platform. How much on an effort would it be to add support for DTLS1.2 for use on windows? It is suported starting with openssl 1.0.2a.
Regards,
Krzysztof
Where do the error codes in https://github.com/rbit/pydtls/blob/master/dtls/err.py come from?
ERR_BOTH_KEY_CERT_FILES = 500
ERR_BOTH_KEY_CERT_FILES_SVR = 298
ERR_NO_CERTS = 331
ERR_NO_CIPHER = 501
ERR_READ_TIMEOUT = 502
ERR_WRITE_TIMEOUT = 503
ERR_HANDSHAKE_TIMEOUT = 504
ERR_PORT_UNREACHABLE = 505
Are they python specific or OpenSSL specific or pyDTLS specific?
Thx
For WEBRTC connections one needs bidirectional handshake/authentication from server to client and from client to the server on the same port. Is this possible with pydtls library and how? Is there any example?
Sorry, if this not the right place for my question.
Unit tests are failing in multiple scenarios, no modifications made.
Also tested with OpenSSL Version 1.0.2 (Devel Snapshot), same unit tests failed.
Suite run: demux: platform-native, protocol: 2
......EFE.E....E....E....
======================================================================
ERROR: test_connect (__main__.NetworkedTests)
----------------------------------------------------------------------
Traceback (most recent call last):
File "test/unit.py", line 198, in test_connect
s.connect(remote)
File "/usr/lib/python2.7/ssl.py", line 397, in connect
self._real_connect(addr, False)
File "/usr/local/lib/python2.7/dist-packages/dtls/patch.py", line 206, in _SSLSocket_real_connect
raise e
__OpenSSLError: (1, [(336134278, 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed')], -1, <CFunctionType object at 0x25d2050>, (<dtls.openssl.SSL object at 0x25e55d0>,))
======================================================================
ERROR: test_get_server_certificate (__main__.NetworkedTests)
----------------------------------------------------------------------
Traceback (most recent call last):
File "test/unit.py", line 321, in test_get_server_certificate
ca_certs=ISSUER_CERTFILE)
File "/usr/local/lib/python2.7/dist-packages/dtls/patch.py", line 88, in _get_server_certificate
s.connect(addr)
File "/usr/lib/python2.7/ssl.py", line 397, in connect
self._real_connect(addr, False)
File "/usr/local/lib/python2.7/dist-packages/dtls/patch.py", line 206, in _SSLSocket_real_connect
raise e
__OpenSSLError: (1, [(336134278, 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed')], -1, <CFunctionType object at 0x25d2050>, (<dtls.openssl.SSL object at 0x26a0190>,))
======================================================================
ERROR: test_non_blocking_connect_ex (__main__.NetworkedTests)
----------------------------------------------------------------------
Traceback (most recent call last):
File "test/unit.py", line 230, in test_non_blocking_connect_ex
s.do_handshake()
File "/usr/lib/python2.7/ssl.py", line 369, in do_handshake
self._sslobj.do_handshake()
File "/usr/local/lib/python2.7/dist-packages/dtls/sslconnection.py", line 508, in do_handshake
ERR_HANDSHAKE_TIMEOUT)
File "/usr/local/lib/python2.7/dist-packages/dtls/sslconnection.py", line 274, in _wrap_socket_library_call
return call()
File "/usr/local/lib/python2.7/dist-packages/dtls/sslconnection.py", line 507, in <lambda>
lambda: SSL_do_handshake(self._ssl.value),
File "/usr/local/lib/python2.7/dist-packages/dtls/openssl.py", line 411, in errcheck_ord
raise_ssl_error(result, func, args, find_ssl_arg(args))
File "/usr/local/lib/python2.7/dist-packages/dtls/openssl.py", line 402, in raise_ssl_error
raise openssl_error()(ssl_error, errqueue, result, func, args)
__OpenSSLError: (1, [(336134278, 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed')], -1, <CFunctionType object at 0x25d2050>, (<dtls.openssl.SSL object at 0x25e45d0>,))
======================================================================
ERROR: test_getpeercert (__main__.ThreadedTests)
----------------------------------------------------------------------
Traceback (most recent call last):
File "test/unit.py", line 999, in test_getpeercert
s.connect((HOST, server.port))
File "/usr/lib/python2.7/ssl.py", line 397, in connect
self._real_connect(addr, False)
File "/usr/local/lib/python2.7/dist-packages/dtls/patch.py", line 206, in _SSLSocket_real_connect
raise e
__OpenSSLError: (1, [(336134278, 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed')], -1, <CFunctionType object at 0x25d2050>, (<dtls.openssl.SSL object at 0x25e40d0>,))
======================================================================
ERROR: test_protocol_dtlsv1 (__main__.ThreadedTests)
Connecting to a DTLSv1 server with various client options
----------------------------------------------------------------------
Traceback (most recent call last):
File "test/unit.py", line 1042, in test_protocol_dtlsv1
ssl.CERT_OPTIONAL)
File "test/unit.py", line 943, in try_protocol_combo
ciphers="ALL", chatty=False)
File "test/unit.py", line 896, in server_params_test
s.connect((HOST, server.port))
File "/usr/lib/python2.7/ssl.py", line 397, in connect
self._real_connect(addr, False)
File "/usr/local/lib/python2.7/dist-packages/dtls/patch.py", line 206, in _SSLSocket_real_connect
raise e
__OpenSSLError: (1, [(336134278, 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed')], -1, <CFunctionType object at 0x25d2050>, (<dtls.openssl.SSL object at 0x25e4090>,))
======================================================================
FAIL: test_connect_ex (__main__.NetworkedTests)
----------------------------------------------------------------------
Traceback (most recent call last):
File "test/unit.py", line 209, in test_connect_ex
self.assertEqual(0, s.connect_ex(remote))
AssertionError: 0 != None
----------------------------------------------------------------------
Ran 25 tests in 0.844s
FAILED (failures=1, errors=5)
Suite run failed: demux: platform-native, protocol: 2
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.