SSL/TLS - am I doing it right?
Sybren Stuvel
sybrenUSE at YOURthirdtower.com.imagination
Mon Mar 13 05:11:50 EST 2006
Frank Millman enlightened us with:
> while 1:
> conn,addr = s.accept()
> c = TLSConnection(conn)
> c.handshakeServer(certChain=certChain,privateKey=privateKey)
> data = c.recv(1024)
It's nice that you set up a TLS connection, but you never check the
certificate of the other side for vality. You should make sure the
certificate chain is completely signed from top to bottom. Then check
that the bottom certificate is amongst trusted CAs. Also check all the
certificates in the chain against the CRL of the CA. I've submitted
this CRL check to the author of TLS Lite, so it should be in a release
soon.
> s.connect((HOST,PORT))
> c = TLSConnection(s)
> c.handshakeClientCert()
> c.send(data)
See above. You set up a TLS connection, but you never verify that
you're talking to the right computer.
Sybren
--
The problem with the world is stupidity. Not saying there should be a
capital punishment for stupidity, but why don't we just take the
safety labels off of everything and let the problem solve itself?
Frank Zappa
More information about the Python-list
mailing list