tags:

views:

224

answers:

2
+1  Q: 

What to put for a commonName when making an OpenSSL key?

I have an application application framework that works in a peer-to-peer manner between unnamed hosts on a network. I want to have the traffic be encrypted, so I've implemented a setup with M2Crypto, but I've run into a snag. I have no idea what to put down for 'commonName' when creating the cert. It seems to want a domain name, but none of the computers running this will have one. I just put 'temphost' for the commonName, but apparently this an important parameter. I got this when trying to test it:

M2Crypto.SSL.Checker.WrongHost: Peer certificate commonName does not match host, expected 127.0.0.1, got temphost

Is there a way to generalize the commonName?

+1  A: 

In your use case the default host name checking is not appropriate. You might want to try just doing certificate fingerprint checking. First, get the fingerprints of each certificate (openssl x509 -fingerprint). Let's say you have peer A and peer B, with fingerprint A and fingerprint B, respectively.

On peer A side, you will make the following calls early on in your script:

from M2Crypto import SSL
SSL.Connection.clientPostConnectionCheck = SSL.Checker(peerCertHash='fingerprint B')

On peer B side you do the same, except use fingerprint A. Now the certificate checker will only check to make sure that the fingerprints match, and won't do further checks.

This approach does mean that it will override the post connection check for ALL SSL connections, so it is not suitable in all use cases. If you can control the creation of the SSL.Connection object, you could also call set_post_connection_check_callback() per instance, which would allow different checker to be used when needed.

Heikki Toivonen  2010-01-27 21:46:54
Thanks, though the issue is that there are numerous peers added constantly and their certs are generated when the application is installed. Would this mean I would have to have each peer be aware of the fingerprints of all the other potential peers?
directedition  2010-01-27 22:16:51
Ah, using this approach, yes. So, what I wrote above won't work for you then.
Heikki Toivonen  2010-01-28 01:29:23
Are you sure you are really doing any authentication at all?
GregS  2010-01-29 00:52:07
Yes, you are making sure that only a specific peer (certificate) you know about can communicate with you. The strength of this of course depends on the hash algorithm. Don't use MD5 or weaker.
Heikki Toivonen  2010-01-29 18:21:54
+1  A: 

So based on your comment to my first answer I decided to offer another solution that might work for your case. Create your own CA cert and key. Then in your peers tell M2Crypto to accept only certificates that were signed by this CA (see this older stackoverflow question for APIs to use: http://stackoverflow.com/questions/1848160/what-is-the-difference-between-m2cryptos-set-client-ca-list-from-file-and-load/1849277#1849277).

Then early on in your scripts do this:

from M2Crypto import SSL
SSL.Connection.clientPostConnectionCheck = None

or if you need to be able to make other kinds of SSL connections, see if you can control the creation of SSL.Connection objects and call their set_post_connection_check_callback() with suitable checker.

After this your peers should accept any other peer as long as the peer's certificate was signed with your CA only.

If you can think of any extra information you could verify in a post connection check, you could put that info in the certs (maybe in commonName) and write your own checker to use (instead of None above).

Heikki Toivonen  2010-01-28 01:39:23
Thanks! That seems to work!
directedition  2010-01-28 13:42:18

related questions

Programmatically talking to a Serial Port in OS X or Linux
Best ways to teach a beginner to program?
Calling a Function From a String With the Function's Name in Python
An executable Python app
Text Editor For Linux (Besides Vi)?
What Hosting Service is best for Django applications?
File size differences after copying a file to a server vía FTP
Python: what is the difference between (1,2,3) and [1,2,3], and when should I use each?
Python: What OS am I running on?
How do I make a menu in python that does not require the user to press (enter) to make a selection?
How do you express binary literals in Python?
What is the most efficient graph data structure in Python?
Adding a Method to an Existing Object
How to learn Python: Good Example Code?
How do I use Python's itertools.groupby()?
Python and MySQL
Class views in Django
Is there an IDE that provides code completion for Python
Using 'in' to match an attribute of Python objects in an array
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Continuous Integration System for a Python Codebase
Get a preview jpeg of a pdf on windows?
How can I find the full path to a font from its display name on a Mac?
XML Processing in Python