Hi,
I'm currently developping a Python application which is a standalone
xml-rpc server, so with no web server in front of it.
(more details on http://www.pykota.com/software/pykoticon if needed)
this application works perfectly fine, but now I'd like to encrypt
all traffic between the client hosts and the server hosts.
but what makes it interesting, IMHO, is that usually there are
far more clients than servers, and in this situation the exact
opposite is true.
for example on a typical site, you'll have something like a maximum
of ten clients, and several thousands servers, since this
application is run (but not necessarily installed,if run from a
network share) on desktops systems (of any type) and the clients are
(in my own case) print servers (all *nix).
Each client can connect to any server, but servers can accept
queries only if they come from some particular clients (already
handled in the current code). Each server has a very low impact on
performance, on average accepting maybe twenty queries per hour.
what I want to ensure is that :
- the servers (desktop systems) can verify that incoming client
connections really come from one of the authorized clients
(print servers). Actually this verification is done but
could probably be made more strict.
- no data flies in the clear between clients and servers
(these datas can contain passwords).
- each client (print servers) can connect to any of the
servers (desktop systems), but ensuring that a server
really is the host it says it is, is not very important.
I'm a complete newbie as far as ssl is concerned, so I'd
like some directions about the best way to achieve my goals.
In particular, having a separate certificate for each of the
servers (desktop systems) really could be problematic considering
the number of them, although having one for each client (print
servers) could be feasible.
Someone suggested to me that I use stunnel on both sides. Could
this be the solution ?
Since I entirely control the code on both the client and server
sides, is there a simpler solution that could be implemented ?
Could people give me some hints about what's the best thing to
do, what I should read first, etc... ???
Thanks a lot in advance
Jerome Alet
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
