SSL/TLS - am I doing it right?
Tue Mar 14 10:44:30 CET 2006
"Frank Millman" <frank at chagford.com> writes:
> I don't know how to check the certificates. None of the documentation I
> have read spells out in detail how to do this.
Lemme see if I can find you something--I'll put up another post if I do.
> What about this idea? I am not looking for a state-of-the-art solution.
> I am looking for something that is 'good enough' for a typical SME with
> its own internal network.
Didn't you say wireless? That's not an internal network, it's a
network that extends off the premises and is accessible to anyone with
a laptop who can park a car in the neighborhood.
> Using openssl, generate a key for the server, generate a self-signed
> certificate, and extract the sha1 fingerprint of the certificate. The
> key must be kept secure but the fingerprint can be published.
Then install a copy of the certificate on the client, that the client
can authenticate against. You also want to generate a client
certificate to install on the server. If there are multiple clients
you should make a CA rather than trying to keep track of self-signed
certificates. If you're paranoid, you can scrounge some $20 obsolete
laptop from ebay and dedicate it to use as a CA, never letting it
touch the internet (transfer files to and from it on floppy disc).
> After establishing an SSL connection, the client compares the session
> fingerprint (TLSLite has a getFingerprint() function) with the
> parameter. If different, client assumes it is talking to an imposter
> and disconnects.
> Are there any gaping holes in this approach?
1. You have to authenticate both the server and the client; you can do
that with certificates at both ends (preferred for non-public-facing
applications) or you could do it with something like a client password
sent through the TLS session after the session is established.
2. I don't see the docs for getFingerprint at
More information about the Python-list