Issue 181110: Please review reworked SSL support on client side.

Can't Edit
Can't Publish+Mail
Start Review

Created:
16 years, 1 month ago by h.goebel

Modified:
2 years, 3 months ago

Reviewers:

Visibility:
Public.

Description

This patch bundle implements the first step of a new SSL connection system on the client side. It allows the user to choose between secure and insecure connection and makes Tryton obey to this. Tryton does no longer auto-discover SSL nor does it change from a secure to an insecure connection automatically. The fall back has been a major security issue: If the connection was started secure, but the server (or an eavesdropper) switched of SSL, the socket would silently reconnect without encryption. The user did not have any chance to avoid this. (The status bar icon is updated _after_ data has been send.) Change Details: * GUI: New CheckButton to allow the user selecting "Secure Connection". (common.common.request_server()) Under the hood: * rpc.server_version is the function which is called first when connection to a server -- no matter wether it's a login, a create, drop or restore dialog. THus only this function takes an argument "secure" which may chance the secure-state of the connection. All other functions (esp. login, db_list, db_exec) are not changing this status. * pysocket.py: Switched to OpenSSL, since the Python standard module ssl is only available from Python 2.6 up. Unfortunatly OpenSSL has a ready dull, quite low-level interface. * pysocket.py: Do not auto-detect SSL and not *NOT* fall back to insecure connection if server does not use SSL. * ipv6.py: New module. Some refactoring has been done, too: * common/common.py: New class ConnectionDescription to remove redundant code of build and parsing netrpc-"urls" and some other related code. * gui/*: Dalogs Login, Create, Drop, Restore now use this ConnectionDescription and return hostname and port already separated instead of a sting. * pysocket: some code cleanup. E.g. moved the "if ssl" statement out of the inner loops. * rpc.py: some code cleanup. Esp. moved the redundant code for connecting the PySocket() into a common function.

Patch Set 1 #

Total comments: 21

Patch Set 2 : Fixed some minor glitches ced found. #

Patch Set 3 : moved ipv6.py into pysocket as ced suggested #

Created: 16 years, 1 month ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+313 lines, -271 lines)			Patch
M	tryton/common/common.py	View		6 chunks	+61 lines, -16 lines	0 comments	Download
M	tryton/config.py	View		1 chunk	+1 line, -0 lines	0 comments	Download
M	tryton/gui/main.py	View	1	5 chunks	+13 lines, -17 lines	0 comments	Download
M	tryton/gui/window/dbcreate.py	View		5 chunks	+12 lines, -15 lines	0 comments	Download
M	tryton/gui/window/dbdumpdrop.py	View		4 chunks	+15 lines, -14 lines	0 comments	Download
M	tryton/gui/window/dblogin.py	View		6 chunks	+26 lines, -29 lines	0 comments	Download
M	tryton/gui/window/dbrestore.py	View		2 chunks	+8 lines, -3 lines	0 comments	Download
A	tryton/ipv6.py	View	1 2	1 chunk	+5 lines, -0 lines	0 comments	Download
M	tryton/pysocket.py	View	1 2	5 chunks	+138 lines, -129 lines	0 comments	Download
M	tryton/rpc.py	View		6 chunks	+34 lines, -48 lines	0 comments	Download

Messages

Total messages: 8

Expand All Messages | Collapse All Messages

udono

http://codereview.appspot.com/181110/diff/1/2 File tryton/common/common.py (right): http://codereview.appspot.com/181110/diff/1/2#newcode183 tryton/common/common.py:183: connDesc = ConnectionDescription.from_url(server_widget.get_text()) camelCase we use only on class ...

16 years, 1 month ago (2010-01-02 08:35:39 UTC) #3

h.goebel

udo.spallek@googlemail.com schrieb: > camelCase we > use only on class definitions. Please use for variable ...

16 years, 1 month ago (2010-01-02 10:39:48 UTC) #4

ced

http://codereview.appspot.com/181110/diff/1/2 File tryton/common/common.py (right): http://codereview.appspot.com/181110/diff/1/2#newcode170 tryton/common/common.py:170: entry_secure = gtk.CheckButton() A check box is really not ...

16 years, 1 month ago (2010-01-02 16:19:39 UTC) #5

h.goebel

16 years, 1 month ago (2010-01-06 16:20:36 UTC) #6

http://codereview.appspot.com/181110/diff/1/2
File tryton/common/common.py (right):

http://codereview.appspot.com/181110/diff/1/2#newcode170
tryton/common/common.py:170: entry_secure = gtk.CheckButton()
On 2010/01/02 16:19:39, ced wrote:
> A check box is really not user friendly.

How should the user choose between secure and insecure connection then?

> As I already said, it is enough to prevent to drop a SSL connection after the
> connection lost.

No, it is not. The user has to have control of whether a secure connection is to
be used. I must not (no, never) be left to some remote system, since the remote
system may be the eavesdropper.

There have been some publications last year about people using
http://www.paypal.com instead of https:// and expecting to get redirected to
https://... These papers discuss how easy an eavesdropper can use his to
intercept communication (and make payments for his own sake).

http://codereview.appspot.com/181110/diff/1/4
File tryton/gui/main.py (right):

http://codereview.appspot.com/181110/diff/1/4#newcode1186
tryton/gui/main.py:1186: info = '\n' + rpc._SOCK.host
On 2010/01/02 16:19:39, ced wrote:
> Why removing ssl information?

Typo / Bug.

http://codereview.appspot.com/181110/diff/1/9
File tryton/ipv6.py (right):

http://codereview.appspot.com/181110/diff/1/9#newcode9
tryton/ipv6.py:9: class IPv6Mixin:
On 2010/01/02 16:19:39, ced wrote:
> What is the usage ?

Adding IPv6 to a class using a Mixin.

http://codereview.appspot.com/181110/diff/1/10
File tryton/pysocket.py (right):

http://codereview.appspot.com/181110/diff/1/10#newcode15
tryton/pysocket.py:15: from OpenSSL import SSL
On 2010/01/02 16:19:39, ced wrote:
> There is no need for OpenSSL, it adds a new dependecy.
> The default ssl from python works well.

Module ssl is only available from Python 2.6 up. See description for this
changeset.

http://codereview.appspot.com/181110/diff/1/10#newcode46
tryton/pysocket.py:46: while 1:
On 2010/01/02 16:19:39, ced wrote:
> It is preferred while True
> And it is not necessary to loop there.

This loop is necessary, since self.sock.recv() may fail with weird errors just
of OpenSSLs internal state. You may get errors like the WantReadError even if
the server has send an answer.

http://codereview.appspot.com/181110/diff/1/10#newcode50
tryton/pysocket.py:50: import sys ; print >> sys.stderr, e
On 2010/01/02 16:19:39, ced wrote:
> Don't use print statement

Tesing left over.

ced

16 years, 1 month ago (2010-01-06 17:32:32 UTC) #7

http://codereview.appspot.com/181110/diff/1/2
File tryton/common/common.py (right):

http://codereview.appspot.com/181110/diff/1/2#newcode170
tryton/common/common.py:170: entry_secure = gtk.CheckButton()
On 2010/01/06 16:20:36, h.goebel wrote:
> On 2010/01/02 16:19:39, ced wrote:
> > A check box is really not user friendly.
> 
> How should the user choose between secure and insecure connection then?

The user doesn't have the choice. The server is not able to use both kind of
connection.

> 
> > As I already said, it is enough to prevent to drop a SSL connection after
the
> > connection lost.
> 
> No, it is not. The user has to have control of whether a secure connection is
to
> be used. I must not (no, never) be left to some remote system, since the
remote
> system may be the eavesdropper.
> 
> There have been some publications last year about people using
> http://www.paypal.com instead of https:// and expecting to get redirected to
> https://... These papers discuss how easy an eavesdropper can use his to
> intercept communication (and make payments for his own sake).

Tryton is not a browser. You must specify the port. And the issue is about the
authentication of the server.

http://codereview.appspot.com/181110/diff/1/4
File tryton/gui/main.py (right):

http://codereview.appspot.com/181110/diff/1/4#newcode1186
tryton/gui/main.py:1186: info = '\n' + rpc._SOCK.host
On 2010/01/06 16:20:36, h.goebel wrote:
> On 2010/01/02 16:19:39, ced wrote:
> > Why removing ssl information?
> 
> Typo / Bug.

I don't understand.

http://codereview.appspot.com/181110/diff/1/9
File tryton/ipv6.py (right):

http://codereview.appspot.com/181110/diff/1/9#newcode9
tryton/ipv6.py:9: class IPv6Mixin:
On 2010/01/06 16:20:36, h.goebel wrote:
> On 2010/01/02 16:19:39, ced wrote:
> > What is the usage ?
> 
> Adding IPv6 to a class using a Mixin.

Where is it used?

http://codereview.appspot.com/181110/diff/1/10
File tryton/pysocket.py (right):

http://codereview.appspot.com/181110/diff/1/10#newcode12
tryton/pysocket.py:12: import tryton.ipv6 as ipv6
I would prefere to keep pysocket independent.
Like that you can use it to write scripts.

http://codereview.appspot.com/181110/diff/1/10#newcode15
tryton/pysocket.py:15: from OpenSSL import SSL
On 2010/01/06 16:20:36, h.goebel wrote:
> On 2010/01/02 16:19:39, ced wrote:
> > There is no need for OpenSSL, it adds a new dependecy.
> > The default ssl from python works well.
> 
> Module ssl is only available from Python 2.6 up. See description for this
> changeset.

The existing ssl code works on python 2.4 and 2.5

http://codereview.appspot.com/181110/diff/1/10#newcode46
tryton/pysocket.py:46: while 1:
On 2010/01/06 16:20:36, h.goebel wrote:
> On 2010/01/02 16:19:39, ced wrote:
> > It is preferred while True
> > And it is not necessary to loop there.
> 
> This loop is necessary, since self.sock.recv() may fail with weird errors just
> of OpenSSLs internal state. You may get errors like the WantReadError even if
> the server has send an answer.

A little comment would be welcome as we never had this issue.

ced

16 years, 1 month ago (2010-01-08 08:34:43 UTC) #8

http://codereview.appspot.com/181110/diff/1/10
File tryton/pysocket.py (right):

http://codereview.appspot.com/181110/diff/1/10#newcode12
tryton/pysocket.py:12: import tryton.ipv6 as ipv6
On 2010/01/06 17:32:32, ced wrote:
> I would prefere to keep pysocket independent.
> Like that you can use it to write scripts.

You can add an ipv6 option to PySocket like that the file will no more depend on
ipv6 module

Expand All Messages | Collapse All Messages