[Zope] Zope and SSL

Christopher Petrilli petrilli@digicool.com
Thu, 13 Jan 2000 11:30:14 -0500


On 1/13/00 8:11 AM, Rob Page at rob.page@digicool.com wrote:

> Hi Joachim:
> 
>> In http://www.egroups.com/group/medusa/47.html I read about
>> using "STunnel"
>> (http://mike.daewoo.com.pl/computer/stunnel/) to add SSL
>> functionality to Medusa.
>> 
>> As ZServer is derived from Medusa, this should work for Zope, too.

Search the archives, I know several people have mentioned getting stunnel to
work... I never tried, not having the bandwidth right now.

>> Has anyone tried to use this combination? Any experience? I'm
>> asking because I like the idea of having ONLY ZServer running as a web
> server, 
>> not a combination of ZServer and Apache. The only thing I'd need
> Apache (or 
>> Roxen) for, would be the SSL support.
>> 
>> BTW: Is native SSL support planned for ZServer?
> 
> Chris Petrilli, our local security story manager is working on a number
> of different projects.  Lest this go unanswered I'll pipe in....  If you
> want to ask a question, ask him!  :^)

The main reason, as Rob outlines, that we don't support SSL in ZServer is
that it's simply very difficult to get RIGHT (my previous job was heavily
PKI oriented, so crypto is in my blood), and quite honestly all of the focus
on design is in the Apache world, and it seems important to leverage that,
rather than trying to invent it all.

Additionally, serious SSL sites are going to use something like a Rainbow
accelerator for the crypto, and that requires specific libraries be used
(namely RSA's commercial libraries, etc), which of course we don't want to
get into right now.

Given the expense of SSL session setup, the burdon of PCGI isn't very
onerous, and quite honestly, if you go to FastCGI, it's largely irrelevent.

> Historically, incorporating encryption into Zope has been a real
> obstacle for us for the following reasons:
> 
> (1)  it ain't easy,
> (2)  US export restrictions on the cryptographic software/tools
> 
> With yesterday's significant announcement by the US Govt:
> 
> http://www.infobeat.com/stories/cgi/story.cgi?id=2563227804-a95
> 
> it looks like (2) will no longer be an issue.  However, (1) still is...

#1 is a huge issue, as Rob says, and #2, well... the landscape changes
daily, and where I used to work we had 1 person dedicated to the legal
issues of both exporting AND importing into other countries.

> and (1) is a BIGGIE.  To really use SSL for both server AND client
> identification/authentication there is a LOT to do.  I'm not sure that
> we've got the bandwidth (funded or not) to do this in the foreseeable
> future.

Given I don't believe we have any value to add on the HTTP/SSL server side
of the equation I would say that we're unlikely to head in that direction
anytime soon.  Having said that, patches are naturally accepted ;-)

> Naturally, if there was a funded effort we could at least look at what
> it would take.  Alternatively, we could provide advice and guidance to
> any person or group that wanted to take this project on (with a serious
> intent to finish).

I believe the more interesting aspect for me, at least, and for customers in
the long haul, and where we can add serious value is in the integration of
PKI client-authentication (using X.509 certs) into the Zope security model
in a more elegant way.  I've got tons of ideas on this, mostly full fleshed
out, but there's simply been no customer demand for this.

Hope this helps to direct some thought.

Chris

-- 
| Christopher Petrilli        Python Powered        Digital Creations, Inc.
| petrilli@digicool.com                             http://www.digicool.com