"Martin v. Löwis" <[EMAIL PROTECTED]> writes:
> > But how can I tell my Python program to trust my SSL certificate?
>
> Why do you want to tell it that? The SSL module will trust *any*
> server certificate, no need to tell it explicitly which ones to
> trust.
Er, the whole idea of SSL is that you don't trust the connection. So
failing to authenticate the other end is a security failure and SSL
should not be used that way. From RFC 4346:
Warning: Completely anonymous connections only provide protection
against passive eavesdropping. Unless an independent
tamper-proof channel is used to verify that the finished
messages were not replaced by an attacker, server
authentication is required in environments where active
man-in-the-middle attacks are a concern.
It's silly to worry about an eavesdropper being nosy enough to
intercept your data passively, but somehow still expect them to be
considerate enough to not use an MITM attack. Always use
authentication if it's worth bothering with cryptographic security at
all.
Another plan for server to server communication might be to use a VPN
rather than connection level SSL. That would simplify your
application programming if you can set up the encrypted network at
both ends.
--
http://mail.python.org/mailman/listinfo/python-list
