Re: SSL/TLS - am I doing it right?

From: Sybren Stuvel <sybrenUSE@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 14 Mar 2006 11:08:03 +0100

Frank Millman enlightened us with:

I don't know how to check the certificates. None of the
documentation I have read spells out in detail how to do this.

Read the readme that comes with TLS Lite. You can require certificate
checks, call certchain.validate(CAlist), and with my extension you can
also use the CRL module to check.

Using openssl, generate a key for the server, generate a self-signed
certificate, and extract the sha1 fingerprint of the certificate.
The key must be kept secure but the fingerprint can be published.

The entire certificate can be published along with the fingerprint.

When a client wishes to connect to the server, it must read a
parameter which includes the ip address, the port number, and the
fingerprint.

After establishing an SSL connection, the client compares the
session fingerprint (TLSLite has a getFingerprint() function) with
the parameter. If different, client assumes it is talking to an
imposter and disconnects.

It's a good idea if you want to keep the client lightweight. As a
matter of fact, it's what I use on the client side of my TLS
connection.

Are there any gaping holes in this approach?

If anyone sees them, please let us know :)

There is one gaping hole, though, because you only talk about the
client checking the server. If you want to be really secure, you also
need to use client certificates and let the server check them for
validity. I do that too. Without a valid client certificate, no
connection.

Sybren
--
The problem with the world is stupidity. Not saying there should be a
capital punishment for stupidity, but why don't we just take the
safety labels off of everything and let the problem solve itself?
Frank Zappa
.

References:
- SSL/TLS - am I doing it right?
  - From: Frank Millman
- Re: SSL/TLS - am I doing it right?
  - From: Sybren Stuvel
- Re: SSL/TLS - am I doing it right?
  - From: Frank Millman
- Re: SSL/TLS - am I doing it right?
  - From: Sybren Stuvel
- Re: SSL/TLS - am I doing it right?
  - From: Frank Millman
- Re: SSL/TLS - am I doing it right?
  - From: Sybren Stuvel
- Re: SSL/TLS - am I doing it right?
  - From: Frank Millman

Prev by Date: Re: Localized month names?
Next by Date: Re: Is this possible in Python?
Previous by thread: Re: SSL/TLS - am I doing it right?
Next by thread: Re: SSL/TLS - am I doing it right?
Index(es):
- Date
- Thread

Relevant Pages

Re: SSL/TLS - am I doing it right?
... Paul Rubin wrote: ... certificate, and extract the sha1 fingerprint of the certificate. ... Then install a copy of the certificate on the client, ...
(comp.lang.python)
Re: SSL/TLS - am I doing it right?
... its own internal network. ... certificate, and extract the sha1 fingerprint of the certificate. ... Then install a copy of the certificate on the client, ...
(comp.lang.python)
Re: SSL/TLS - am I doing it right?
... self-signed certificate, and extract the sha1 fingerprint of the ... The key must be kept secure but the fingerprint can ... Then install a copy of the certificate on the client, ... the Web does not authenticate clients (for the ...
(comp.lang.python)
Re: Cannot request computer certificate.
... >problem since you can not request a certificate while logged onto the CA. ... Verify that you can ping it by name and IP address from the client ... >> Kerberos, or dns. ... >> List of NetBt transports currently bound to the Redir ...
(microsoft.public.windows.server.security)
Re: The message must contain a wsa:To header
... My client app is not generating a trace file. ... the client is not applying the WSE policy at all because of an ... at ApplicationMessagingWS.Dispatch(String messageType, String ... look for a certificate with this subject name in the certificate store ...
(microsoft.public.dotnet.framework.webservices.enhancements)