SSL/TLS support in Pyro4
Irmen de Jong
irmen.NOSPAM at xs4all.nl
Fri Aug 4 10:12:35 EDT 2017
On 04/08/2017 15:44, Robin Becker wrote:
> ..........
>>
>> Hi Robin
>>
>> I am not sure how this is any benefit over the self-signed root certs that I now use?
>>
>> Except for the fact that these are a root cert as well and don't use any CA trust chain.
>> To be able to validate this cert, I have to load it as a CA cert on the validating side.
>> Which isn't bad perse.
>>
>> I've used openssl as mentioned here to create my certs:
>> https://docs.python.org/3.7/library/ssl.html#self-signed-certificates
> .........Welle I was thinking perhaps you had trouble with self signed certs for some
> reason. I only used CA type setup because some recipe for mongo clusters seems to want
> that. I think the mariadb clusters were fine with simple self signed certs. However, if
> I control the cluster can I not just distribute the cert to all members and have them
> validate it against itself or does python refuse to do that? I vaguely remember some
> python apis allow the authority chain to be specified.
You can specify a CAcert using load_verify_locations on the ssl context. Is that what
you meant? I figured out that if you set that to the peer's certificate it will then be
accepted. I understand it as much as "hey openssl here is a root cert that you should
trust if you encounter it".
Without doing this, the cert is denied on the SSL level (unless you set the ssl options
to no-cert-required but that is definitely not what I wanted)
Bottom line is I learned something new :)
And also that Python's standard ssl library isn't as bad as I remember it to be a few
years ago. Is there still a reason to use, say, PyOpenSSL anymore?
Irmen
More information about the Python-list
mailing list