[Twisted-Python] Clarification for IReactorSSL.ListenSSL(...)

[Trevor Perrin]

Hi Carl,

At 12:55 AM 4/9/2004 +0000, you wrote:
[...]
>One of the parameters for the ListenSSL(...) method is contextFactory.  After
>some digging, I think that the only concrete class available right now for
>this is DefaultOpenSSLContextFactory?  I am not entirely clear what the
>parameters used to initialize this object mean, though.  Specifically, the
>privateKeyFileName and certificateFileName are a little sketchy from my point
>of view.

These will be files containing a PEM-encoded private key and corresponding 
certificate.  They'll look like:

-----BEGIN CERTIFICATE-----
MIICoDCCAgmgAwIBAgIBADANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJBVTET
[.....]

-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDf7GIdMhGG92vnyngDqgELrEyU9nX2FI1/nyzgDd/w5FXgg5dH
[.....]


>Also, does anyone know of an easier way for generating certificates than 
>going
>through all the manual steps in the OpenSSL docs?

Generating a new key and self-signed cert with OpenSSL is really easy:
http://www.openssl.org/docs/HOWTO/

Then just pass these filenames, and it should work.


>I want to use SSL because
>I want two machines to be able to talk to each other without passing
>sensitive data in the clear, so I am not sure if stuff like certificate
>authorities really need to fit into the picture.

If I was you, I wouldn't use CAs, but would have each side authenticate the 
other based on a fingerprint (i.e. the hash value of the other's certificate).

I'm not sure how to do this with the Twisted's default SSL, but I've 
written a TLS library for Twisted that does this.  However, it may be a bit 
of effort to integrate in your particular app:
http://trevp.net/tlslite/


Trevor