Server: Elegant way to handle wrong client identity?

drbild / sslpsk

Adds TLS-PSK support to the Python ssl package

Apache License 2.0

24 stars 32 forks source link

Server: Elegant way to handle wrong client identity? #9

Closed mprt closed 5 years ago

mprt commented 5 years ago

I'm trying to properly refuse a connection when the client_identity is not in the list.

For now, I'm generating a random psk as workaround and catch the SSLError that is raised on a PSK mismatch:

import string
from random import choice

def psk_resolution(identity):
    try:
        psk = PSK_LIST[identity]
    except KeyError:
        allchar = string.ascii_letters + string.punctuation + string.digits
        psk = ("".join(choice(allchar) for x in range(40)))
    return psk

Is there a more elegant solution?

drbild commented 5 years ago

Just returning None or the empty string should suffice.

See https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_psk_client_callback.html

mprt commented 5 years ago

Ah, I overlooked the most obvious solutions.

Empty String works fine. When using None, the server raises a SystemError instead of the expected SSLError, but that's also perfectly fine for my case.

Thanks for the quick reply and for the hint to the important parts of the documentation!

drbild commented 5 years ago

Glad that worked!