SSL/TLS - am I doing it right?

Frank Millman frank at chagford.com
Tue Mar 14 07:12:38 EST 2006


Paul Rubin wrote:
> "Frank Millman" <frank at chagford.com> writes:
> > I don't know how to check the certificates. None of the documentation I
> > have read spells out in detail how to do this.
>
> Lemme see if I can find you something--I'll put up another post if I do.
>

Thanks

> Didn't you say wireless?  That's not an internal network, it's a
> network that extends off the premises and is accessible to anyone with
> a laptop who can park a car in the neighborhood.
>

One of my goals is to use a diskless, wireless workstation that can be
positioned anywhere without a whole lot of cabling. This will be
particularly beneficial in a retail point-of-sale environment. It was
this that got me onto the idea of SSL, to prevent the proverbial car in
the neighborhood from eavesdropping on the network traffic.

> > Using openssl, generate a key for the server, generate a self-signed
> > certificate, and extract the sha1 fingerprint of the certificate. The
> > key must be kept secure but the fingerprint can be published.
>
> Then install a copy of the certificate on the client, that the client
> can authenticate against.

I wanted to keep the legwork required to set up a new client down to a
minimum. I was hoping that setting a pointer to the client software,
and a pointer to a connection parameter, would be sufficient. If the
fingerprint is an an adequate substitute for the full certificate, I
would prefer it, as it is much smaller, and can easily form part of the
connection parameter.

>  You also want to generate a client
> certificate to install on the server.  If there are multiple clients
> you should make a CA rather than trying to keep track of self-signed
> certificates.  If you're paranoid, you can scrounge some $20 obsolete
> laptop from ebay and dedicate it to use as a CA, never letting it
> touch the internet (transfer files to and from it on floppy disc).
>

Both you and Sybren are insistent that this is a necessary step, but I
confess I cannot see the need for it. The client is lightweight, and
authenticates itself to the server using a user id and password. What
is the worst that could go wrong?

>
> 2. I don't see the docs for getFingerprint at
>    http://trevp.com/tlslite/docs/index.html

To quote from the docs, if the handshake completes without raising an
exception, authentication results will be stored in the connection's
session object. The following variables will be populated if
applicable, or else set to None:

...
connection.session.serverCertChain
...

session is an instance of the class Session.
serverCertChain is an instance of the class X509CertChain
getFingerprint() is a method of X509CertChain - it returns the
hex-encoded fingerprint of the end-entity certificate.

Paul, I would like to thank you and Sybren for your patience. I feel I
am being a bit obtuse. I am trying to understand enough of this so that
I can implement 'enough' security to protect users against obvious
attacks, without overburdening them with a load of maintenance which in
practice they will end up ignoring.

Many thanks

Frank




More information about the Python-list mailing list