SSL/TLS - am I doing it right?

Frank Millman frank at chagford.com
Mon Mar 13 11:53:00 CET 2006


Sybren Stuvel wrote:
> Frank Millman enlightened us with:
> >     while 1:
> >       conn,addr = s.accept()
> >       c = TLSConnection(conn)
> >       c.handshakeServer(certChain=certChain,privateKey=privateKey)
> >       data = c.recv(1024)
>
> It's nice that you set up a TLS connection, but you never check the
> certificate of the other side for vality. You should make sure the
> certificate chain is completely signed from top to bottom. Then check
> that the bottom certificate is amongst trusted CAs. Also check all the
> certificates in the chain against the CRL of the CA.

Thanks for the reply, Sybren.

I was hoping to avoid this step. The point of the exercise for me is
encryption. I am not too worried about authentication. The next step in
my app is for the client to enter a user id and password, and the
server will not proceed without verifying this.

However, I realise that security is not something to be trivialised, so
if your recommendation is that I do complete the validation steps, I
will try to understand that part of the documentation and apply that as
well.

Thanks

Frank




More information about the Python-list mailing list