The device pairing process is used to distribute and validate snakeoil certs in a hopefully semi-secure fashion. Works like so:
1) Server generates a pass phrase. Pass phrase is communicated to a user in a ideally secure fashion.
2) User starts the client they wish to pair with the server. Client requests the ssl certificate from the server over the clear.
3) Server generates a salted hash of the cert using the pass phrase. Cert is sent, salted hash is sent.
4) Client verifies the hash is valid. If it is, client reconnects via ssl, sends a device id request + pass phrase.
5) If the pass phrase is expected, the server generates a device id (uuid), sends it to the client, and saves it.
6) Client saves the device id locally.
Once this is done, all messages from and to the client contain the device id. If the id is missing, an error should be logged (or raised to the client), and the message should be ignored.
This information should be cleaned up and put in the docs or wiki or something.
The device pairing process is used to distribute and validate snakeoil certs in a hopefully semi-secure fashion. Works like so:
1) Server generates a pass phrase. Pass phrase is communicated to a user in a ideally secure fashion. 2) User starts the client they wish to pair with the server. Client requests the ssl certificate from the server over the clear. 3) Server generates a salted hash of the cert using the pass phrase. Cert is sent, salted hash is sent. 4) Client verifies the hash is valid. If it is, client reconnects via ssl, sends a device id request + pass phrase. 5) If the pass phrase is expected, the server generates a device id (uuid), sends it to the client, and saves it. 6) Client saves the device id locally.
Once this is done, all messages from and to the client contain the device id. If the id is missing, an error should be logged (or raised to the client), and the message should be ignored.
This information should be cleaned up and put in the docs or wiki or something.