sockets and encryption
Erno Kuusela
erno-news at erno.iki.fi
Mon Nov 25 18:24:50 EST 2002
In article <8hi2uuguh0l0jlmrao1fjshle68op1kt4s at 4ax.com>, Paul Nilsson
<p.nilsson at xtra.co.nz> writes:
| Doesn't ssl involve getting a certificate?
in addition to the homebrew ca/selfsigned cert solution offered by
another poster, ssl also has the option of not using any certificates
at all (at least tls does, quick look makes me thing it was also in
sslv3). this is called "anonymous" mode. it is simpler and safer if
you would ignore the server certificate in any case.
eg in openssl you can use these modes by using ciphersuites
that have names beginning with "ADH-".
(aside: this would be good for smtp opportunistic encryption
w/starttls, although atleast sendmail out of the box seems to be
configured to refuse anonymous connections for some reason).
but as with the self-signed certificates, this can leave you open
to man in the middle attacks. you can solve this by doing your own
authentication inside the ssl connection.
-- erno
More information about the Python-list
mailing list