Re: SSL/TLS - am I doing it right?
- From: "Frank Millman" <frank@xxxxxxxxxxxx>
- Date: 14 Mar 2006 04:12:38 -0800
Paul Rubin wrote:
"Frank Millman" <frank@xxxxxxxxxxxx> writes:
I don't know how to check the certificates. None of the documentation I
have read spells out in detail how to do this.
Lemme see if I can find you something--I'll put up another post if I do.
Thanks
Didn't you say wireless? That's not an internal network, it's a
network that extends off the premises and is accessible to anyone with
a laptop who can park a car in the neighborhood.
One of my goals is to use a diskless, wireless workstation that can be
positioned anywhere without a whole lot of cabling. This will be
particularly beneficial in a retail point-of-sale environment. It was
this that got me onto the idea of SSL, to prevent the proverbial car in
the neighborhood from eavesdropping on the network traffic.
Using openssl, generate a key for the server, generate a self-signed
certificate, and extract the sha1 fingerprint of the certificate. The
key must be kept secure but the fingerprint can be published.
Then install a copy of the certificate on the client, that the client
can authenticate against.
I wanted to keep the legwork required to set up a new client down to a
minimum. I was hoping that setting a pointer to the client software,
and a pointer to a connection parameter, would be sufficient. If the
fingerprint is an an adequate substitute for the full certificate, I
would prefer it, as it is much smaller, and can easily form part of the
connection parameter.
You also want to generate a client
certificate to install on the server. If there are multiple clients
you should make a CA rather than trying to keep track of self-signed
certificates. If you're paranoid, you can scrounge some $20 obsolete
laptop from ebay and dedicate it to use as a CA, never letting it
touch the internet (transfer files to and from it on floppy disc).
Both you and Sybren are insistent that this is a necessary step, but I
confess I cannot see the need for it. The client is lightweight, and
authenticates itself to the server using a user id and password. What
is the worst that could go wrong?
2. I don't see the docs for getFingerprint at
http://trevp.com/tlslite/docs/index.html
To quote from the docs, if the handshake completes without raising an
exception, authentication results will be stored in the connection's
session object. The following variables will be populated if
applicable, or else set to None:
....
connection.session.serverCertChain
....
session is an instance of the class Session.
serverCertChain is an instance of the class X509CertChain
getFingerprint() is a method of X509CertChain - it returns the
hex-encoded fingerprint of the end-entity certificate.
Paul, I would like to thank you and Sybren for your patience. I feel I
am being a bit obtuse. I am trying to understand enough of this so that
I can implement 'enough' security to protect users against obvious
attacks, without overburdening them with a load of maintenance which in
practice they will end up ignoring.
Many thanks
Frank
.
- Follow-Ups:
- Re: SSL/TLS - am I doing it right?
- From: Paul Rubin
- Re: SSL/TLS - am I doing it right?
- From: Michael Ekstrand
- Re: SSL/TLS - am I doing it right?
- References:
- SSL/TLS - am I doing it right?
- From: Frank Millman
- Re: SSL/TLS - am I doing it right?
- From: Sybren Stuvel
- Re: SSL/TLS - am I doing it right?
- From: Frank Millman
- Re: SSL/TLS - am I doing it right?
- From: Sybren Stuvel
- Re: SSL/TLS - am I doing it right?
- From: Frank Millman
- Re: SSL/TLS - am I doing it right?
- From: Sybren Stuvel
- Re: SSL/TLS - am I doing it right?
- From: Frank Millman
- Re: SSL/TLS - am I doing it right?
- From: Paul Rubin
- SSL/TLS - am I doing it right?
- Prev by Date: Re: Accessing overridden __builtin__s?
- Next by Date: andmap and ormap
- Previous by thread: Re: SSL/TLS - am I doing it right?
- Next by thread: Re: SSL/TLS - am I doing it right?
- Index(es):
Relevant Pages
|
