Quinn Slack

I just posted a patch for Python 3.3 to add TLS-SRP support (Issue #11943). This patch adds support for TLS-SRP (RFC 5054) to Python ssl.SSLSocket, _ssl.c, http, and urllib. TLS-SRP lets a client and server establish a mutually authenticated SSL channel using only a username and password (a certificate may also be used to supplement authentication). Two Python-specific use cases for TLS-SRP are calling HTTP APIs that require auth, and writing test suites in Python for networked software (e.g., how Chromium uses TLSLite for network testing). More info at http://trustedhttp.org/wiki/TLS-SRP_in_Python.

I just posted a patch for TLS-SRP support in Apache 2 mod_ssl on the wiki and as ASF Bugzilla #51075.

I updated Steffen Schulz’s NSS patch for TLS-SRP support and posted it to Bugzilla #405155. NSS (Network Security Services) is a Mozilla library that provides SSL and crypto routines to Firefox, Chrome, and lots of other apps.

I modified Steffen Schulz’s patch to:

• use the same format for the SRP passwd and group param file as libsrp, so
  that the standard srptool (provided by libsrp or GnuTLS) can be used. This
  means that srputil (which duplicated srptool’s functionality) is no longer
  necessary to include in this patch. (This means either libsrp or GnuTLS are
  required to generate SRP passwd files. Is this OK, or does NSS need to be fully
  self-contained? For the test suite, I have included pre-generated SRP passwd
  files.)
• implement TLS-SRP in selfserv instead of SSLsample.
• include TLS-SRP tests. (These currently fail because of a memory leak;
  ignoring that, they pass.)
• apply cleanly against nss-3.12.9.

See “TLS-SRP in NSS” on the wiki for more usage instructions, but here’s a quick example:

tstclnt usage:
tstclnt -l jsmith -k abc -h tls-srp.test.trustedhttp.org -d /tmp/certs/ -c
:C01D -o -3 -2
# then GET /

selfserv usage:
cd $NSS/mozilla/security/nss/tests
selfserv -n localhost -p 4443 -v -H ssl/tpasswd.conf -K ssl/tpasswd -d
/tmp/certs/
tstclnt -p 4443 -h localhost -f -d /tmp/certs -v -l TestUser -k nss -2 -c :C01D

This patch still needs a lot more work before it’s ready for serious review, but I wanted to get some feedback on it now.

I just posted an in-progress patch that adds TLS-SRP support to Chrome over at the Chromium code review site. I also posted a Chromium-discuss message announcing my progress.

To install it yourself, see the TLS-SRP in Chrome wiki page.

Chrome TLS-SRP login (preliminary)

Chrome TLS-SRP Web page

I submitted a patch to TLS Lite that updates its TLS-SRP support to comply with RFC 5054. Read the email message to tlslite-users or download the the patch (tlslite+tls-srp-rfc5054.patch). I’ve also applied this patch to my tlslite git repository.

cURL 7.21.4 was just released, with support for TLS-SRP. I submitted the patch for this feature (based on a previous patch by Peter Sylvester).

If you are using, or are interested in using, TLS-SRP on the Web, I’d love to hear from you. I also have instructions on setting up a TLS-SRP Web server, and Firefox and NSS with TLS-SRP support (based on patches from Steffen Schulz and John Engler).