DO NOT roll your own Crypto! Use standard services and libraries.
It is NOT advisable in any circumstances to develop any sort of cryptography on your own. Instead, there are a few options for standard libraries that can be used. These libraries offer better stability as they are usually a product of several years of experience in implementing cryptography by an active development community who are dedicated towards efforts in implementation. This constant review and improvement has characterized standard libraries as reliable and robust.
OpenSSL is one such library which popular and therefore is used as an example for this concept. OpenSSL is not the only available crypto library. For a list of different libraries and a comparision between them, visit here.
OpenSSL is a general purpose cryptography library that provides an open source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.
The library includes tools for generating RSA private keys, and Certificate Signing Requests (CSRs), checksums, managing certificates and performing encryption/decryption. OpenSSL is written in C, but wrappers are available for a wide variety of computer languages.
OpenSSL version 1.0.1 released on March 14, 2012 was the first OpenSSL Library to support TLSv1.2. But OpenSSL does not officially support the release anymore. Version 1.0.2 (released on 22nd January, 2015) is an Long Term Support (LTS) release and is scheduled to be supported till the end of year 2019. OpenSSL defines LTS support as follows:
These are the official list of what is included in OpenSSL version 1.0.2:
Note: The latest major release for OpenSSL is 1.1.1 LTS (released on 11th September, 2018).. Again, we do not stress on upgrading OpenSSL blindly without properly evaluating the products that use them (and their advisories) and the consequences of an upgrade.
Find out which openssl version you are using:
Use the version option.
$ openssl version OpenSSL 1.0.1e-fips 11 Feb 2013
You can get much more information with the version -a option.
$ openssl version -a OpenSSL 1.0.1e-fips 11 Feb 2013 built on: Thu Jul 23 19:06:35 UTC 2015 platform: linux-x86_64 options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM OPENSSLDIR: "/etc/pki/tls" engines: rdrand dynamic
There are a lot of libraries that Python can use for SSL/TLS. Some of the notable ones include the native SSL module in Python and PyOpenSSL. Both these libraries are essentially wrappers around the OpenSSL Library found on the system where Python is installed. Some behavior may be platform dependent, since calls are made to the operating system socket APIs. The installed version of OpenSSL may also cause variations in behavior.
To check which openssl version you are using execute the following within Python:
import ssl print ssl.OPENSSL_VERSION<
Here is a basic example of how to use Python’s SSL library to perform a TLS handshake using sockets:-
def handshake(sock): # this will trigger the handshake # if sock is already connected new_sock = ssl.wrap_socket(sock, ciphers="HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5", ssl_version=ssl.PROTOCOL_TLSv1_2, ... ... ) return new_sock
pyOpenSSL is collaboratively developed by the Python Cryptographic Authority (PyCA) that also maintains the low-level bindings called cryptography. It’s a well documented wrapper around OpenSSL and supports all the features required for TLSv1.2.
Almost everything that you would want with pyOpenSSL is on their website:
Here are some examples of opensource code that utilizes pyOpenSSL:
HTTP Server supporting SSL: http://code.activestate.com/recipes/442473-simple-http-server-supporting-ssl-secure-communica/
HTTP Client: http://www.de-brauwer.be/wiki/wikka.php?wakka=PyOpenSSLClient
Validating a Certificate: http://blog.san-ss.com.ar/2012/05/validating-ssl-certificate-in-python.html
Please be careful while upgrading your crypto library. Do not simply upgrade the package without thinking about the implications it might have on existing features of your application or operating system.
A lot of application and Operating System vendors provide specific guidelines on how to upgrade your software. A lot of vendors perform extensive testing of new releases of libraries like OpenSSL to ensure that no existing functionality is affected. Usually, these vendors release their own updates called backported packages. The security team backports security fixes to the released code versions, so while you will not get new features you can be reasonably sure that your SSL libraries are up to date.
Here are a couple of examples for regarding upgrades to popular Operating Systems: