This module adds TLS-PSK support to the Python 2.7 and 3.x ssl
package. Simply use
sslpsk3.wrap_socket(sock, psk=b'...', ...)
instead of
ssl.wrap_socket(sock, ...)
There were two published versions on PyPI, both without Python 3.11 support.
Additionally, for whatever reason, the Windows build of sslpsk2 for Python 3.10 has been linked against OpenSSL 3,
while Python 3.10 on Windows uses OpenSSL 1.1.1, which causes run-time crashes (Python started using OpenSSL 3 in 3.11.5).
This fork aims to fix the incompatibility between OpenSSL versions.
Availability of binary wheels for Windows:
sslpsk | sslpsk2 | sslpsk3 | |
|---|---|---|---|
| Python 2.7 | 1.0.0 | - | - |
| Python 3.3 | 1.0.0 | - | - |
| Python 3.4 | 1.0.0 | - | - |
| Python 3.5 | 1.0.0 | - | - |
| Python 3.6 | 1.0.0 | - | - |
| Python 3.7 | - | 1.0.1 | - |
| Python 3.8 | - | 1.0.1 | 1.1.0+ |
| Python 3.9 | - | 1.0.1 | 1.1.0+ |
| Python 3.10 | - | 1.0.2 | 1.1.0+ |
| Python 3.11 | - | - | 1.1.0+ |
| Python 3.12 | - | - | 1.1.1+ |
pip install sslpsk3
pip builds from source for Linux and Mac OSX, so a C compiler, the Python
development headers, and the openSSL development headers are required. For
Microsoft Windows, pre-built binaries are available so there are no such
prerequisites.
sslpsk3.wrap_socket(...) is a drop-in replacement for ssl.wrap_socket(...) that
supports two additional arguments, psk and hint.
psk sets the preshared key and, optionally, the identity for a client
connection. hint sets the identity hint for a server connection and is
optional.
For client connections, psk can be one of four things:
sslpsk3.wrap_socket(sock, psk=b'mypsk')
sslpsk3.wrap_socket(sock, psk=(b'mypsk', b'myidentity'))
PSK_FOR = {b'server1' : b'abcdef',
b'server2' : b'123456'}
sslpsk3.wrap_socket(sock, psk=lambda hint: PSK_FOR[hint])
PSK_FOR = {b'server1' : b'abcdef',
b'server2' : b'123456'}
ID_FOR = {b'server1' : b'clientA',
b'server2' : b'clientB'}
sslpsk3.wrap_socket(sock, psk=lambda hint: (PSK_FOR[hint], ID_FOR[hint]))
For server connections, psk can be one of two things:
sslpsk3.wrap_socket(sock, server_side=True, psk=b'mypsk')
PSK_FOR = {b'clientA' : b'abcdef',
b'clientB' : b'123456'}
sslpsk3.wrap_socket(sock, server_side=True, psk=lambda identity: PSK_FOR[identity])
Additionally for server connections, the optional server identity hint is
specified using the hint argument.
sslpsk3.wrap_socket(sock, server_side=True, hint=b'myidentity', psk=b'mypsk')
If hint is not specified, None, or the empty string, the identity hint
will not be sent to the client.
from __future__ import print_function
import socket
import ssl
import sslpsk3
PSKS = {'client1' : 'abcdef',
'client2' : '123456'}
def server(host, port):
tcp_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
tcp_sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
tcp_sock.bind((host, port))
tcp_sock.listen(1)
sock, _ = tcp_sock.accept()
ssl_sock = sslpsk3.wrap_socket(sock,
server_side = True,
ssl_version=ssl.PROTOCOL_TLSv1,
ciphers='ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH',
psk=lambda identity: PSKS[identity],
hint=b'server1')
msg = ssl_sock.recv(4).decode()
print('Server received: %s'%(msg))
msg = "pong"
ssl_sock.sendall(msg.encode())
ssl_sock.shutdown(socket.SHUT_RDWR)
ssl_sock.close()
def main():
host = '127.0.0.1'
port = 6000
server(host, port)
if __name__ == '__main__':
main()
from __future__ import print_function
import socket
import ssl
import sslpsk3
PSKS = {b'server1' : b'abcdef',
b'server2' : b'uvwxyz'}
def client(host, port, psk):
tcp_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
tcp_socket.connect((host, port))
ssl_sock = sslpsk3.wrap_socket(tcp_socket,
ssl_version=ssl.PROTOCOL_TLSv1,
ciphers='ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH',
psk=lambda hint: (PSKS[hint], b'client1'))
msg = "ping"
ssl_sock.sendall(msg.encode())
msg = ssl_sock.recv(4).decode()
print('Client received: %s'%(msg))
ssl_sock.shutdown(socket.SHUT_RDWR)
ssl_sock.close()
def main():
host = '127.0.0.1'
port = 6000
client(host, port, PSKS)
if __name__ == '__main__':
main()
Fork of drbild/sslpsk.
The main approach was borrowed from webgravel/common-ssl.
Version from autinerd/sslpsk2 updated to work with OpenSSL v1 and v3.
Please submit bugs, questions, suggestions, or (ideally) contributions as issues and pull requests on GitHub.
Copyright 2017 David R. Bild, 2020 Sidney Kuyateh, 2023 Kuba Szczodrzyński
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this work except in compliance with the License. You may obtain a copy of the License from the LICENSE.txt file or at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
FAQs
Adds TLS-PSK support to the Python ssl package
We found that sslpsk3 demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.