osdir.com


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SSL/TLS support in Pyro4


On 04/08/2017 15:44, Robin Becker wrote:
> ..........
>>
>> Hi Robin
>>
>> I am not sure how this is any benefit over the self-signed root certs that I now use?
>>
>> Except for the fact that these are a root cert as well and don't use any CA trust chain.
>> To be able to validate this cert, I have to load it as a CA cert on the validating side.
>> Which isn't bad perse.
>>
>> I've used openssl as mentioned here to create my certs:
>> https://docs.python.org/3.7/library/ssl.html#self-signed-certificates
> .........Welle I was thinking perhaps you had trouble with self signed certs for some
> reason. I only used CA type setup because some recipe for mongo clusters seems to want
> that. I think the mariadb clusters were fine with simple self signed certs. However, if
> I control the cluster can I not just distribute the cert to all members and have them
> validate it against itself or does python refuse to do that? I vaguely remember some
> python apis allow the authority chain to be specified.

You can specify a CAcert using load_verify_locations on the ssl context. Is that what
you meant? I figured out that if you set that to the peer's certificate it will then be
accepted.  I understand it as much as "hey openssl here is a root cert that you should
trust if you encounter it".
Without doing this, the cert is denied on the SSL level (unless you set the ssl options
to no-cert-required but that is definitely not what I wanted)

Bottom line is I learned something new :)

And also that Python's standard ssl library isn't as bad as I remember it to be a few
years ago.  Is there still a reason to use, say, PyOpenSSL anymore?


Irmen