Frank Millman enlightened us with: > while 1: > conn,addr = s.accept() > c = TLSConnection(conn) > c.handshakeServer(certChain=certChain,privateKey=privateKey) > data = c.recv(1024)
It's nice that you set up a TLS connection, but you never check the certificate of the other side for vality. You should make sure the certificate chain is completely signed from top to bottom. Then check that the bottom certificate is amongst trusted CAs. Also check all the certificates in the chain against the CRL of the CA. I've submitted this CRL check to the author of TLS Lite, so it should be in a release soon. > s.connect((HOST,PORT)) > c = TLSConnection(s) > c.handshakeClientCert() > c.send(data) See above. You set up a TLS connection, but you never verify that you're talking to the right computer. Sybren -- The problem with the world is stupidity. Not saying there should be a capital punishment for stupidity, but why don't we just take the safety labels off of everything and let the problem solve itself? Frank Zappa -- http://mail.python.org/mailman/listinfo/python-list