I work in a secure environment where the company proxy does a man-in-the-middle attack on all inbound traffic. That means any HTTPS comes to me with a broken certificate.
It's unlikely that I'm going to be able to convince our network security people to stop doing this on my account. I'm not even going to try to fix that problem.
Unfortunately this affects my use of PyPI: I want to set up an Artifactory repository to mirror PyPI internally, but since the certificates are messed up Artifactory rejects any content.
It used to be possible to access PyPI's repository via HTTP, but this feature seems to have been recently disabled. I was wondering if there's an alternative way to access PyPI that doesn't use HTTPS - perhaps some barely documented back door?
The only alternative I can think of is to spin up a reverse proxy on AWS/Azure and use that to permit insecure access. Any suggestions?
Related
Our end-to-end tests use Django's LiveServerTestCase with Selenium. So far we have only been able to run these on insecure urls. However, some of the libraries that we use (Square) require a page to be on https even in sandbox mode.
When attempting to connect to a secure url, Selenium/Chrome Webdriver simply shows the standard SSL not supported error:
This site can’t provide a secure connection chezpierre.localtest.me sent an invalid response.
ERR_SSL_PROTOCOL_ERROR
Does anyone know if it is possible to enable https on a LiveServerTestCase?
If not, does anyone have a working workaround for this? I'm trying to avoid running a separate https proxy on our build box, but it seems like it might be the only way.
After quick research I found out that this is impossible in Django suggested by this old code ticket https://code.djangoproject.com/ticket/25328
I also found out that you could setup a tunnel to bypass this issue. However this applies to django development server. This is kind of tricky so I am leaving links to posts as the method is rather long:
https://www.ianlewis.org/en/testing-https-djangos-development-server
or
How can I test https connections with Django as easily as I can non-https connections using 'runserver'?
ALTERNATIVE - In my opinion better
There is also a simpler way using an external package. It gives you out of the box a https capable django development server. The project is active and maintained
https://github.com/teddziuba/django-sslserver
I want to use PayPal in a Django Project and in order to do this I need Django to work with TSL 1.2. Since I haven't worked with such encryption yet, I need advice on how to setup Django in a way that works with an https version that works with PayPal. I already have a working ssl certificate and was able to use django-sslserver to make Django work with https, but PayPal still does not work with it. Could someone give a hint were I should be looking into for this kind of thing?
If you have a self-signed SSL certificate, then this is not going to work. You can get a free SSL certificate at Let's encrypt: https://letsencrypt.org/.
If you use the Javascript API your site has to be served over HTTPS as well because of CORS.
I am have completed my python 3 application, and it is using multiple public modules from PyPi.
However, before I deploy it to run within my company's enterprise which will be handling credentials of our customers and accessing 3rd party APIs, I need to do due diligence that they are both secure and safe.
What steps must I perform:
Validate security of PyPi modules and safe to use, and it is important to note that the target Python 3 app will be handling credentials?
What is the most recommended way validate PyPi modules' signature?
Can PyPi module signature be trusted?
By the way, the Python 3 application will be running within a Docker container.
Thank you
These are 3 separate questions, so:
You'll have to audit the package (or get someone else to do that) to know if it's secure. No easy way around it.
All pypi packages have md5 signature attached (link in parentheses after the file). Some of them also attach the pgp signature which shows up in the same place, but it's up to the author whether they're published or not. (https://pypi.python.org/pypi/rpc4django for example includes both md5 and pgp) Md5 verifies integrity. Pgp verifies integrity and origin, so it's a better choice when available.
Just as much as any other signature.
If you're worried about dependencies to that level, I think you should look at maintaining your internal pypi repository. It gives you better verification (just sign the packages yourself after initial download and only accept your signature). It gives you better reliability and speed (you can still build the software if pypi goes down). And it avoids issues with replaced / updated packages which you haven't audited/approved yet.
I been using python to create an web app and it has been doing well so far. Now I would like to encrypt the transmission of the data between client and server using https. The communication is generally just post form and web pages, no money transactions are involve. Is there anything I need to change to the python code except setting the server up with certificate and configurate it to use https? I see a lot of information regarding ssl for python and I not sure if I need those modules and python setup to make https work.
Thanks
Typically, the ssl part for Python web app is managed by some frontend web server like nginx, apache or so.
This does not require any modification of your code (assuming, you are not expecting user to authenticate by ssl certificate on client side, what is quite exotic, but possible scenario).
If you want to run pure Python solution, I would recommend using cherrypy, which is able providing rather reliable and performant web server part (it will be very likely slower then served behind nginx or apache).
I'd like to expose a simple TCP server written in Python to the internet. To authenticate clients, I'd like to rely on both client and server certificates. Does socketserver.TCPServer support this mode by default? If not, can you suggest how to extend the server to implement mutual authentication?
The default library doesn't handle secure sockets (SSL/TLS). Assuming you want to use that specific library no matter what, here's another discussion that shows a way to do it using the OpenSSL libraries.
If you want to write a server application, you might want to use Twisted, an event-oriented framework for writing network applications in Python. Here's the relevant documentation on how to enable SSL for a TCP server.