Paul Rubin wrote: > "Frank Millman" <[EMAIL PROTECTED]> writes: > > I don't know how to check the certificates. None of the documentation I > > have read spells out in detail how to do this. > > Lemme see if I can find you something--I'll put up another post if I do. >
Thanks > Didn't you say wireless? That's not an internal network, it's a > network that extends off the premises and is accessible to anyone with > a laptop who can park a car in the neighborhood. > One of my goals is to use a diskless, wireless workstation that can be positioned anywhere without a whole lot of cabling. This will be particularly beneficial in a retail point-of-sale environment. It was this that got me onto the idea of SSL, to prevent the proverbial car in the neighborhood from eavesdropping on the network traffic. > > Using openssl, generate a key for the server, generate a self-signed > > certificate, and extract the sha1 fingerprint of the certificate. The > > key must be kept secure but the fingerprint can be published. > > Then install a copy of the certificate on the client, that the client > can authenticate against. I wanted to keep the legwork required to set up a new client down to a minimum. I was hoping that setting a pointer to the client software, and a pointer to a connection parameter, would be sufficient. If the fingerprint is an an adequate substitute for the full certificate, I would prefer it, as it is much smaller, and can easily form part of the connection parameter. > You also want to generate a client > certificate to install on the server. If there are multiple clients > you should make a CA rather than trying to keep track of self-signed > certificates. If you're paranoid, you can scrounge some $20 obsolete > laptop from ebay and dedicate it to use as a CA, never letting it > touch the internet (transfer files to and from it on floppy disc). > Both you and Sybren are insistent that this is a necessary step, but I confess I cannot see the need for it. The client is lightweight, and authenticates itself to the server using a user id and password. What is the worst that could go wrong? > > 2. I don't see the docs for getFingerprint at > http://trevp.com/tlslite/docs/index.html To quote from the docs, if the handshake completes without raising an exception, authentication results will be stored in the connection's session object. The following variables will be populated if applicable, or else set to None: ... connection.session.serverCertChain ... session is an instance of the class Session. serverCertChain is an instance of the class X509CertChain getFingerprint() is a method of X509CertChain - it returns the hex-encoded fingerprint of the end-entity certificate. Paul, I would like to thank you and Sybren for your patience. I feel I am being a bit obtuse. I am trying to understand enough of this so that I can implement 'enough' security to protect users against obvious attacks, without overburdening them with a load of maintenance which in practice they will end up ignoring. Many thanks Frank -- http://mail.python.org/mailman/listinfo/python-list