stackoom
  简体   繁体   中英

SSL connection with client-side certificate

 原文  2012-08-30 10:42:36       python/ encryption/ twisted/ ssl

Question

Is it possible for a client to establish a SSL connection to a server using the server's certificate already exchanged through other means?

The point would be to encrypt the connection using the certificate already with the client and not have to rely on the server to provide it. The server would still have the private key for the certificate the client uses.

This question isn't language specific, but answers specific to python and twisted are appreciated.

2 answers

solution1
 4 ACCPTED  2012-08-30 11:01:09

The certificates in SSL/TLS are only used for authentication, the encryption itself is done by shared keys negotiated during the handshake.

If you want to use certificates, you'll always need at least the SSL/TLS server to have a certificate (which may be the TCP client). You can indeed swap the role of the client and server when making the connection. That is, the SSL/TLS server doesn't have to be the TCP server, but can be the TCP client. See definition in the specification glossary : 

  client The application entity that initiates a TLS connection to a server. This may or may not imply that the client initiated the underlying transport connection. The primary operational difference between the server and client is that the server is generally authenticated, while the client is only optionally authenticated.

However, doing so can lead to difficulties. Just like a server in a traditional SSL/TLS connection can't detect whether the request have been through a MITM (it's solely the client's responsibility to check the server certificate, without client-certificate authentication), making the TCP client be the SSL/TLS server makes it hard for the TCP client to know that it's talking to the TCP server it intended: the server could in fact be a MITM. You'd need to consider whether this suits your needs.

In Python, you should be able to choose the orientation of your SSL/TLS socket using the server_side parameter of ssl.wrap_socket .

The server would still have the private key for the certificate the client uses.

This doesn't make sense at all. Private keys should be kept private by the party to which the certificate was issued.

Perhaps you're after a Pre-Shared Key mechanism instead.

solution2
 0  2012-08-30 10:49:10

In TLS, the server (the side which listen 's for connections) always needs a certificate. Client-side certificates may be used only for peer authentication, but not for the channel encryption.

Keep in mind also, that you can't simply "encrypt" a connection without some infrastructure to verify the certificates in some way (using certification authorities, or trust databases for example). Encryption without certificate validity verification does not hold against an active adversary (google for 'man in the middle attack' for more details on this).

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question aiohttp with ssl client-side certs aiohttp and client-side SSL certificates Sending client-side authorisation certificate to HTTPS site - Python Client-side variables in Flask? Web Scraping on client-side Is Brython entirely client-side? Flask client-side sessions Client-Side Verification Django web: client-side python? SSL connection with certificate
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM