SSL/TLS - am I doing it right?

Sybren Stuvel sybrenUSE at YOURthirdtower.com.imagination
Mon Mar 13 14:57:04 CET 2006


Paul Rubin enlightened us with:
> for example, OpenSSL (www.openssl.org) comes with a simple Perl
> script that acts as a rudimentary CA.

I never understood those CA scripts. I mean, creating a new CA
certificate only has to be done once, and is:

openssl req -new -x509 -key $KEY -out $OUT -days 365 -config $CONF

Signing a certificate request is easier:

openssl ca -in some.req

Why do people feel the need to wrap that up in some Perl script?

> Note that TLSLite at the moment doesn't know how to authenticate
> certificate chains all by itself without external libraries.  I
> didn't look at your code sample closely enough to figure out whether
> you were using OpenSSL or M2Crypto in a way that takes care of that.

TLS Lite can use both, and cryptlib_py too. For proper verification,
you need the latter. My CRL checks also require cryptlib.

Sybren
-- 
The problem with the world is stupidity. Not saying there should be a
capital punishment for stupidity, but why don't we just take the
safety labels off of everything and let the problem solve itself? 
                                             Frank Zappa



More information about the Python-list mailing list