"Frank Millman" <[EMAIL PROTECTED]> writes: > I don't know how to check the certificates. None of the documentation I > have read spells out in detail how to do this.
Lemme see if I can find you something--I'll put up another post if I do. > What about this idea? I am not looking for a state-of-the-art solution. > I am looking for something that is 'good enough' for a typical SME with > its own internal network. Didn't you say wireless? That's not an internal network, it's a network that extends off the premises and is accessible to anyone with a laptop who can park a car in the neighborhood. > Using openssl, generate a key for the server, generate a self-signed > certificate, and extract the sha1 fingerprint of the certificate. The > key must be kept secure but the fingerprint can be published. Then install a copy of the certificate on the client, that the client can authenticate against. You also want to generate a client certificate to install on the server. If there are multiple clients you should make a CA rather than trying to keep track of self-signed certificates. If you're paranoid, you can scrounge some $20 obsolete laptop from ebay and dedicate it to use as a CA, never letting it touch the internet (transfer files to and from it on floppy disc). > After establishing an SSL connection, the client compares the session > fingerprint (TLSLite has a getFingerprint() function) with the > parameter. If different, client assumes it is talking to an imposter > and disconnects. > > Are there any gaping holes in this approach? 1. You have to authenticate both the server and the client; you can do that with certificates at both ends (preferred for non-public-facing applications) or you could do it with something like a client password sent through the TLS session after the session is established. 2. I don't see the docs for getFingerprint at http://trevp.com/tlslite/docs/index.html -- http://mail.python.org/mailman/listinfo/python-list