SSL/TLS - am I doing it right?
Frank Millman
frank at chagford.com
Mon Mar 13 05:53:00 EST 2006
Sybren Stuvel wrote:
> Frank Millman enlightened us with:
> > while 1:
> > conn,addr = s.accept()
> > c = TLSConnection(conn)
> > c.handshakeServer(certChain=certChain,privateKey=privateKey)
> > data = c.recv(1024)
>
> It's nice that you set up a TLS connection, but you never check the
> certificate of the other side for vality. You should make sure the
> certificate chain is completely signed from top to bottom. Then check
> that the bottom certificate is amongst trusted CAs. Also check all the
> certificates in the chain against the CRL of the CA.
Thanks for the reply, Sybren.
I was hoping to avoid this step. The point of the exercise for me is
encryption. I am not too worried about authentication. The next step in
my app is for the client to enter a user id and password, and the
server will not proceed without verifying this.
However, I realise that security is not something to be trivialised, so
if your recommendation is that I do complete the validation steps, I
will try to understand that part of the documentation and apply that as
well.
Thanks
Frank
More information about the Python-list
mailing list