[Twisted-Python] SSL Client Certificates?

[Jean-Paul Calderone]

On Tue, 25 Nov 2008 12:09:19 -0700, asset <asset at impactdamage.com> wrote:
>Would I be right in assuming that the example echoserv_ssl.py and echoclient_ssl.py will only result in encryption from the client to server and not from the server back to the client?
>
>Im referencing these examples specifically,
>http://twistedmatrix.com/projects/core/documentation/examples/echoclient_ssl.py
>http://twistedmatrix.com/projects/core/documentation/examples/echoclient_ssl.py
>
>From what I know of SSL, the client connects to the server, and after the handshake it uses the cert to encrypt its communication to the server and the server uses the private key to decrypt it; but the server's traffic back to the client will not be encrypted without having to use a client certificate.
>
>So my question is how wrong am I on this? And if needed, how do I setup a client certificate to succeed in two way encryption?

You are indeed mistaken.  The use or non-use of a certificate is orthogonal
to whether traffic is encrypted.  The primary purpose of the certificate is
identification of the endpoint.  Encryption can happen without a certificate
(it can also not happen, even with a certificate).

http://en.wikipedia.org/wiki/Transport_Layer_Security gives a reasonable
overview.

If you need identification in both directions, you can set up the server
to require a certificate using the same APIs you use to have a client
require one and you can use the same APIs on the client to use a certificate
as you use on the server to do that.

Jean-Paul