Re: SSL/TLS - am I doing it right?
- From: "Frank Millman" <frank@xxxxxxxxxxxx>
- Date: 13 Mar 2006 02:53:00 -0800
Sybren Stuvel wrote:
Frank Millman enlightened us with:
while 1:
conn,addr = s.accept()
c = TLSConnection(conn)
c.handshakeServer(certChain=certChain,privateKey=privateKey)
data = c.recv(1024)
It's nice that you set up a TLS connection, but you never check the
certificate of the other side for vality. You should make sure the
certificate chain is completely signed from top to bottom. Then check
that the bottom certificate is amongst trusted CAs. Also check all the
certificates in the chain against the CRL of the CA.
Thanks for the reply, Sybren.
I was hoping to avoid this step. The point of the exercise for me is
encryption. I am not too worried about authentication. The next step in
my app is for the client to enter a user id and password, and the
server will not proceed without verifying this.
However, I realise that security is not something to be trivialised, so
if your recommendation is that I do complete the validation steps, I
will try to understand that part of the documentation and apply that as
well.
Thanks
Frank
.
- Follow-Ups:
- Re: SSL/TLS - am I doing it right?
- From: Sybren Stuvel
- Re: SSL/TLS - am I doing it right?
- From: Paul Rubin
- Re: SSL/TLS - am I doing it right?
- References:
- SSL/TLS - am I doing it right?
- From: Frank Millman
- Re: SSL/TLS - am I doing it right?
- From: Sybren Stuvel
- SSL/TLS - am I doing it right?
- Prev by Date: Re: Environmental Variables
- Next by Date: Re: Please, I Have A Question before I get started
- Previous by thread: Re: SSL/TLS - am I doing it right?
- Next by thread: Re: SSL/TLS - am I doing it right?
- Index(es):
Relevant Pages
|
