Search code examples
sslwebservercertificatetwistedauthentication

Client certificate based access to specific resources using twisted webserver

I was wondering if the twisted webserver offers the possibility to restrict access to some resources using client certificate based authentication and to allow access to other resources without certs.

I searched trough the questions and found this posting: Client side SSL certificate for a specific web page

Now my question is if someone knows if twisted has implemented the ssl renegotiation and how an example would look like.

Or has there been a different approach since then?

Just to make things clear and to give additional information:

What I actually want to achieve is something like this:

  • A new user visits a site and has not yet granted access to the resource because he has no token yet that allows him to view the site.
  • Therefore, he gets redirected to a login resource that is asking for a client certificate. If everything is correct, additional data retrieved from the certificate is stored in the session, which makes up the token.
  • He then gets redirected back to the entry site, the token is validated, and according to his authorization level specific content is displayed

If I understood you correct Jean-Paul, this seems to be possible to implement with your strategy, right? Correct me if I'm missing something or doing it wrong.

Solution

  • It doesn't seem to me that SSL renegotiation is particularly applicable here. What you actually want to do is authorize a request based on the client certificate presented. The only reason SSL renegotiation might be required is if you want the client to be able to request multiple resources over a single persistent HTTPS connection, presenting a different client certificate for each. This strikes me as unlikely to be necessary (or at least, the reasons for wanting this - rather than just letting the client establish a new HTTPS connection, or just authorizing all your resources based on a single client certificate - are obscure).

    Authorization in Twisted Web is straightforward. Many prefer a capability-like approach, where the server selects a resource object based on the credentials presented by the client. This resource object has complete control over its content and its children, so by selecting one appropriate for the credentials presented, you completely control what content is available to what clients.

    You can read about twisted.web.guard in the http auth entry in the web in 60 seconds series.

    This will familiarize you with the specifics of authentication and authorization in Twisted Web. It will not tell you how to authenticate or authorize based on an SSL client certificate, though.

    To do that, you'll need to write something similar to HTTPAuthSessionWrapper - but which inspects the client SSL certificate instead of implementing HTTP authentication as HTTPAuthSessionWrapper does. This will involve implementing:

    • IResource to inspect the transport over which the request is received to extract the client certificate
    • implementing a credentials type which represents an X509 certificate
    • implementing a credentials checker which can authenticate your users based on their X509 certificate
    • and possibly implementing a realm which can authorize users (though you may have written this already, since it is orthogonal to the authentication step, and therefore is reusable even if you don't want to authenticate with SSL certificates)

    This functionality would be quite welcome in Twisted itself, so I'm sure you can find more help from the Twisted development IRC channel (#twisted-dev on freenode), and I hope you'll contribute whatever you write back to Twisted!