britram
commented
8 years ago Someone has probably done this. Find them and bring them to me.
Open britram opened 8 years ago
britram
commented
8 years ago Someone has probably done this. Find them and bring them to me.
britram
commented
8 years ago tls.py should use actual certificates.
irl
commented
8 years ago @britram https://github.com/OpenVPN/easy-rsa - does this link remove the question tag? if so, the PKI directory can be replaced with some documentation on using easy-rsa to manage certs.
britram
commented
8 years ago Let's assume easy-rsa is the way to go here.
britram
commented
8 years ago I've marked up tls.py with comments on each function on TlsState in c74696110645dd4b0aacefdfbb669e80ad5f23e9. Summary: we need
get_ssl_context() that gets an ssl.SSLContext based on the configuration (to pass to websockets.server.serve() and websockets.client.connect().get_local_identity() that turns a configuration into a local identity string (i.e., a key for authorization roles)get_peer_identity() that turns a... something to be determined, into an identity string (key for ComponentClientContext in async_component.py, as well as for authorization roles)Tip everything else in tls.py into the bin. :)
Look into ways to build a PKI (e.g. OpenVPN?) from a declaration about the mPlane infrastructure to protect.