Getting SSL certificate
Stuart D. Gathman
stuart at bmsi.com
Fri Nov 8 22:55:23 EST 2002
On Fri, 08 Nov 2002 07:01:01 -0500, Martin v. Löwis wrote:
> Erno Kuusela <erno-news at erno.iki.fi> writes:
>
>> || The httplib modules supports SSL, but does not check certificates.
>
> Can you please explain what it means to check a certificate?
I know of two level of checking:
1) an automatic level that verifies all digital signatures on the cert
this tells you that someone registered the cert with the CA, and it
has not been forged (presumably the SSL protocol signs some random data
unique to the session along with the cert to prevent replay).
2) a manual level where a person or high level program checks that the
name on the certificate is one they expect, or feel like trusting.
In my case, there is only one cert that the application will trust - but
I need to make sure it hasn't been forged.
>> and cert_file was for a certificate authority that the server cert
>> should be checked against. but it is a faint impression :)
That would make sense, but the docs say that checking the server certificate
is not implemented.
>> in case it is so, this still does not let you at the server
>> certificate...
> Is there a missing here?
Definitely, because even if the checking for level (1) above were
automatic (as the arguments seem intended for), the application still
needs to get at the server certificate in some form to check that they
are talking to the right entity. Anybody and their dog can get a signed
certificate. (And I remember a Slashdot story about someone getting a
certificate for their dog to illustrate how weak the checking at Verisign
is.)
--
Stuart D. Gathman <stuart at bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
More information about the Python-list
mailing list