Open britram opened 8 years ago
Someone has probably done this. Find them and bring them to me.
tls.py should use actual certificates.
@britram https://github.com/OpenVPN/easy-rsa - does this link remove the question tag? if so, the PKI directory can be replaced with some documentation on using easy-rsa to manage certs.
Let's assume easy-rsa is the way to go here.
I've marked up tls.py
with comments on each function on TlsState
in c74696110645dd4b0aacefdfbb669e80ad5f23e9. Summary: we need
get_ssl_context()
that gets an ssl.SSLContext based on the configuration (to pass to websockets.server.serve()
and websockets.client.connect()
.get_local_identity()
that turns a configuration into a local identity string (i.e., a key for authorization roles)get_peer_identity()
that turns a... something to be determined, into an identity string (key for ComponentClientContext
in async_component.py
, as well as for authorization roles)Tip everything else in tls.py into the bin. :)
Look into ways to build a PKI (e.g. OpenVPN?) from a declaration about the mPlane infrastructure to protect.