SSL/TLS - am I doing it right?

Frank Millman frank at chagford.com
Wed Mar 15 05:56:03 CET 2006


Michael Ekstrand wrote:
> Disclaimer: I am not an expert. Take this with a grain of salt... but
> I'll throw it out for what it's worth.
>
>
> For what it's worth, the Web does not authenticate clients (for the
> most part anyway). The server is authenticated - its certificate is
> checked against the root CA list. But clients aren't expected to have
> their own certificates. I think that the only time you really need the
> clients to have certificates is when the certificate *is* your
> authentication (e.g., in OpenVPN). Likewise, SSH does not verify client
> certificates (unless you're using PKA, but that's different).
>

Thanks for this, Michael - this is what I feel as well. Unless I hear
to the contrary from Paul or Sybren, this is the approach I will
follow.

My next problem is that TLSLite does not seem to support select().
There is an abstract class called AsyncStateMachine which I think is
provided to simulate this. If I do not figure it out I may come back
here with more questions, but I will start a new thread for that.

Many thanks to all.

Frank




More information about the Python-list mailing list