SSL/TLS - am I doing it right?

[Sybren Stuvel]

Frank Millman enlightened us with:
> I don't know how to check the certificates. None of the
> documentation I have read spells out in detail how to do this.

Read the readme that comes with TLS Lite. You can require certificate
checks, call certchain.validate(CAlist), and with my extension you can
also use the CRL module to check.

> Using openssl, generate a key for the server, generate a self-signed
> certificate, and extract the sha1 fingerprint of the certificate.
> The key must be kept secure but the fingerprint can be published.

The entire certificate can be published along with the fingerprint.

> When a client wishes to connect to the server, it must read a
> parameter which includes the ip address, the port number, and the
> fingerprint.
>
> After establishing an SSL connection, the client compares the
> session fingerprint (TLSLite has a getFingerprint() function) with
> the parameter. If different, client assumes it is talking to an
> imposter and disconnects.

It's a good idea if you want to keep the client lightweight. As a
matter of fact, it's what I use on the client side of my TLS
connection.

> Are there any gaping holes in this approach?

If anyone sees them, please let us know :)

There is one gaping hole, though, because you only talk about the
client checking the server. If you want to be really secure, you also
need to use client certificates and let the server check them for
validity. I do that too. Without a valid client certificate, no
connection.

Sybren
-- 
The problem with the world is stupidity. Not saying there should be a
capital punishment for stupidity, but why don't we just take the
safety labels off of everything and let the problem solve itself? 
                                             Frank Zappa