SSL/TLS - am I doing it right?
sybrenUSE at YOURthirdtower.com.imagination
Mon Mar 13 14:57:04 CET 2006
Paul Rubin enlightened us with:
> for example, OpenSSL (www.openssl.org) comes with a simple Perl
> script that acts as a rudimentary CA.
I never understood those CA scripts. I mean, creating a new CA
certificate only has to be done once, and is:
openssl req -new -x509 -key $KEY -out $OUT -days 365 -config $CONF
Signing a certificate request is easier:
openssl ca -in some.req
Why do people feel the need to wrap that up in some Perl script?
> Note that TLSLite at the moment doesn't know how to authenticate
> certificate chains all by itself without external libraries. I
> didn't look at your code sample closely enough to figure out whether
> you were using OpenSSL or M2Crypto in a way that takes care of that.
TLS Lite can use both, and cryptlib_py too. For proper verification,
you need the latter. My CRL checks also require cryptlib.
The problem with the world is stupidity. Not saying there should be a
capital punishment for stupidity, but why don't we just take the
safety labels off of everything and let the problem solve itself?
More information about the Python-list