@@ -34,6 +34,9 @@ Spring Python currently supports and requires the installation of at least one o
3434* `Hessian <http://hessian.caucho.com/ >`_ - support for Hessian has just started. So far, you can call
3535 Python-to-Java based on libraries released from Caucho.
3636
37+ * :ref: `Secure XML-RPC <remoting-secure-xml-rpc >` needs the installation of
38+ `PyOpenSSL <http://pypi.python.org/pypi/pyOpenSSL >`_
39+
3740Remoting with PYRO (Python Remote Objects)
3841------------------------------------------
3942
@@ -452,6 +455,8 @@ error handling should be added in case there are no services available. And
452455there needs to be a way to grow the services. But this gets us off to a good
453456start.
454457
458+ .. _remoting-secure-xml-rpc :
459+
455460Secure XML-RPC
456461--------------
457462
@@ -465,6 +470,19 @@ support for securing the communications path. You can choose whether to:
465470* validate the client certificate’s fields, for instance you can configure the server
466471 to only allow requests if a commonName is equal to an upon agreed value
467472
473+ Note that you can use both the client and the server with other XML-RPC
474+ implementations, there’s nothing preventing you from exposing secure XML-RPC to
475+ Java or .NET clients or from connecting with the secure client to XML-RPC servers
476+ implemented in other languages and technologies.
477+
478+ To aid with better understanding of how the components work out of the box,
479+ you can download :ref: `sample keys and certificates <remoting-secure-xml-rpc-sample-keys-and-certificates >`
480+ prepared by the Spring Python team.
481+ Be sure **not ** to ever use it for anything serious outside your testing environment,
482+ they are working and functional but because of private keys being available for
483+ download they should **only ** be used for learning of how Spring Python's
484+ secure XML-RPC works.
485+
468486Encrypted connection only
469487+++++++++++++++++++++++++
470488
@@ -501,7 +519,7 @@ one of CAs the client is aware of::
501519 key = "./server-key.pem"
502520 cert = "./server-cert.pem"
503521
504- server = MySSLServer(host, port, key, cert)
522+ server = MySSLServer(host, port, key, cert, verify_depth=2 )
505523 server.serve_forever()
506524
507525::
@@ -512,7 +530,7 @@ one of CAs the client is aware of::
512530 from springpython.remoting.xmlrpc import SSLXMLRPCClient
513531
514532 server_location = "https://localhost:8000/RPC2"
515- ca_certs = "./cacert .pem"
533+ ca_certs = "./ca-chain .pem"
516534
517535 client = SSLXMLRPCClient(server_location, ca_certs=ca_certs)
518536
@@ -548,9 +566,10 @@ known to the client::
548566 port = 8000
549567 key = "./server-key.pem"
550568 cert = "./server-cert.pem"
551- ca_certs = "./cacert .pem"
569+ ca_certs = "./ca-chain .pem"
552570
553- server = MySSLServer(host, port, key, cert, ca_certs, verify_options=SSL.VERIFY_PEER|SSL.VERIFY_FAIL_IF_NO_PEER_CERT)
571+ server = MySSLServer(host, port, key, cert, ca_certs, verify_options=SSL.VERIFY_PEER|SSL.VERIFY_FAIL_IF_NO_PEER_CERT,
572+ verify_depth=2)
554573 server.serve_forever()
555574
556575::
@@ -563,7 +582,7 @@ known to the client::
563582 server_location = "https://localhost:8000/RPC2"
564583 key = "./client-key.pem"
565584 cert = "./client-cert.pem"
566- ca_certs = "./cacert .pem"
585+ ca_certs = "./ca-chain .pem"
567586
568587 client = SSLXMLRPCClient(server_location, key_file=key, cert_file=cert, ca_certs=ca_certs)
569588
@@ -603,12 +622,12 @@ will be leaked to the client::
603622 port = 8000
604623 key = "./server-key.pem"
605624 cert = "./server-cert.pem"
606- ca = "./chain.pem"
625+ ca = "./ca- chain.pem"
607626
608627 verify_fields = {"CN": "Client", "O":"The Sample Company", "ST":"New York"}
609628
610629 server = MySSLServer(host, port, key, cert, ca, verify_options=SSL.VERIFY_PEER|SSL.VERIFY_FAIL_IF_NO_PEER_CERT,
611- verify_fields=verify_fields)
630+ verify_fields=verify_fields, verify_depth=2 )
612631 server.serve_forever()
613632
614633::
@@ -624,21 +643,44 @@ will be leaked to the client::
624643 # Make sure the commonName is set to what the server requires.
625644 cert = "./client-cert.pem"
626645
627- ca_certs = "./cacert .pem"
646+ ca_certs = "./ca-chain .pem"
628647
629648 client = SSLXMLRPCClient(server_location, key_file=key, cert_file=cert, ca_certs=ca_certs)
630649
631650 print client.pow(41, 3)
632651
633- More options
634- ++++++++++++
652+ .. _remoting-secure-xml-rpc-sample-keys-and-certificates :
653+
654+ Sample keys and certificates
655+ ++++++++++++++++++++++++++++
656+
657+ `The downloadable package <./_static/pki.zip >`_ contains the keys and certificates of CAs, client and
658+ the server shown in the examples. It's crucial to remember that these are only
659+ samples with known private keys and they should **only ** be used for playing around
660+ with SSL XML-RPC's API.
661+
662+ .. image :: gfx/pki.png
663+ :align: center
664+
665+ *client-key.pem * and *client-cert.pem * are the client's private key and its
666+ certificate while *server-key.pem * and *server-cert.pem * are their counterparts
667+ as used by the server. Both certificates have been signed off by the *SAMPLE Signing CA *
668+ whose certificate has been in turn signed off by the *SAMPLE Root CA *. SAMPLE Root
669+ CA's certificate is self-signed. Private keys of CAs are in files *ca-root-key.pem * and
670+ *ca-signing-key.pem *. Certificates of both CAs - *ca-root-cert.pem * & *ca-signing-cert.pem *
671+ have been concatenated into a *ca-chain.pem * file so that they form a chain of the
672+ Certificate Authorities both sides may trust. All certificates are valid until
673+ 2020 so there's a lot of time for experimenting. Type **1234 ** if asked for any
674+ password, it's the same one for each private key.
675+
676+ .. _remoting-secure-xml-rpc-configuration :
677+
678+ Configuration
679+ +++++++++++++
635680
636681**ZzzzzZzz ** All the config options go here..
637682
638- Note that you can use both the client and the server with other XML-RPC
639- implementations, there’s nothing preventing you from exposing secure XML-RPC to
640- Java or .NET clients or from connecting with the secure client to XML-RPC servers
641- implemented in other languages and technologies.
683+ .. _remoting-secure-xml-rpc-logging :
642684
643685Logging
644686+++++++
0 commit comments