[pyar] Auth entre servidor / cliente usando https y evitar robo de info en el medio ...

[Emiliano Dalla Verde Marcozzi]

El 18 de enero de 2011 10:22, Roberto Alsina
<ralsina en netmanagers.com.ar>escribió:

> Una solución "sencilla" (já) es usar Pound: http://www.apsis.ch/pound/


Gracias Roberto, pinta muy bien! pero me tiro un poco abajo esto ...

If a client browser connects via HTTPS and if it presents a certificate and
if HTTPSHeaders is set, *Pound* will obtain the certificate data and add the
following HTTP headers to the request it makes to the server:

   - X-SSL-Subject: information about the certificate owner
   - X-SSL-Issuer: information about the certificate issuer (CA)
   - X-SSL-notBefore: begin validity date for the certificate
   - X-SSL-notAfter: end validity date for the certificate
   - X-SSL-serial: certificate serial number (in decimal)
   - X-SSL-cipher: the cipher currently in use
   - X-SSL-certificate: the full client certificate (multi-line)

 It is the application's responsibility to actually use these headers - *
Pound* just passes this information without checking it in any way (except
for signature and encryption correctness).
Please note that this mechanism allows forgeries: a client may (maliciously)
send these headers to *Pound* in order to masquerade as an SSL client with a
specific certificate.

-- 
*Emiliano Dalla Verde Marcozzi*
Encargado de IT y Python Ninja Developer



San Juan 4879
Rosario. Argentina
Tel. (+54) 341 437 6878
www.airtrack.com.ar

"Chuck Norris doesn't need a debugger, he just stares down the bug until the
code confesses."
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <http://listas.python.org.ar/pipermail/pyar/attachments/20110118/3f0b79ad/attachment.html>