Re: SSL/TLS - am I doing it right?

"Frank Millman" <frank@xxxxxxxxxxxx> writes:
I don't know how to check the certificates. None of the documentation I
have read spells out in detail how to do this.

Lemme see if I can find you something--I'll put up another post if I do.

What about this idea? I am not looking for a state-of-the-art solution.
I am looking for something that is 'good enough' for a typical SME with
its own internal network.

Didn't you say wireless? That's not an internal network, it's a
network that extends off the premises and is accessible to anyone with
a laptop who can park a car in the neighborhood.

Using openssl, generate a key for the server, generate a self-signed
certificate, and extract the sha1 fingerprint of the certificate. The
key must be kept secure but the fingerprint can be published.

Then install a copy of the certificate on the client, that the client
can authenticate against. You also want to generate a client
certificate to install on the server. If there are multiple clients
you should make a CA rather than trying to keep track of self-signed
certificates. If you're paranoid, you can scrounge some $20 obsolete
laptop from ebay and dedicate it to use as a CA, never letting it
touch the internet (transfer files to and from it on floppy disc).

After establishing an SSL connection, the client compares the session
fingerprint (TLSLite has a getFingerprint() function) with the
parameter. If different, client assumes it is talking to an imposter
and disconnects.

Are there any gaping holes in this approach?

1. You have to authenticate both the server and the client; you can do
that with certificates at both ends (preferred for non-public-facing
applications) or you could do it with something like a client password
sent through the TLS session after the session is established.

2. I don't see the docs for getFingerprint at
http://trevp.com/tlslite/docs/index.html
.

Relevant Pages

  • Re: SSL/TLS - am I doing it right?
    ... Paul Rubin wrote: ... certificate, and extract the sha1 fingerprint of the certificate. ... Then install a copy of the certificate on the client, ...
    (comp.lang.python)
  • Re: Cannot request computer certificate.
    ... >problem since you can not request a certificate while logged onto the CA. ... Verify that you can ping it by name and IP address from the client ... >> Kerberos, or dns. ... >> List of NetBt transports currently bound to the Redir ...
    (microsoft.public.windows.server.security)
  • Re: The message must contain a wsa:To header
    ... My client app is not generating a trace file. ... the client is not applying the WSE policy at all because of an ... at ApplicationMessagingWS.Dispatch(String messageType, String ... look for a certificate with this subject name in the certificate store ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: SSL/TLS - am I doing it right?
    ... Read the readme that comes with TLS Lite. ... certificate, and extract the sha1 fingerprint of the certificate. ... The key must be kept secure but the fingerprint can be published. ... the client compares the ...
    (comp.lang.python)
  • Re: L2TP/IPSec from XP client to Windows 2003 Server
    ... ie no valid cert found on client - contacted Microsoft ... Windows Server 2003 Certificate Authority running ... The next step is to install Certificate Services on the Windows Server ... From Networks Connections on the client, ...
    (microsoft.public.security)