I am trying to understand the semantics of SSL sockets in Thrift. In particular, what the fields do: ca_certs, keyfile, and certfile.
Is to use the keyfilepath to the private key on the client , and then this is verified using a server-side certificate using the certificate incertfile
The fields seem to be inverted to me, as I expect to see the keyfile field on the server side, and not on the client side.
Is the server side certfile really pem (which means a combination of a public certificate and a private key) or is it just a certificate?
What is the proper use for authenticating a client to a server and vice versa?
TSSLSocket Initializer
def __init__(self,
host='localhost',
port=9090,
validate=True,
ca_certs=None,
keyfile=None,
certfile=None,
unix_socket=None,
ciphers=None):
"""Create SSL TSocket
@param validate: Set to False to disable SSL certificate validation
@type validate: bool
@param ca_certs: Filename to the Certificate Authority pem file, possibly a
file downloaded from: http://curl.haxx.se/ca/cacert.pem This is passed to
the ssl_wrap function as the 'ca_certs' parameter.
@type ca_certs: str
@param keyfile: The private key
@type keyfile: str
@param certfile: The cert file
@type certfile: str
@param ciphers: The cipher suites to allow. This is passed to
the ssl_wrap function as the 'ciphers' parameter.
@type ciphers: str
Raises an IOError exception if validate is True and the ca_certs file is
None, not present or unreadable.
"""
Server side:
class TSSLServerSocket(TSocket.TServerSocket):
SSL_VERSION = ssl.PROTOCOL_TLSv1
def __init__(self,
host=None,
port=9090,
certfile='cert.pem',
unix_socket=None,
ciphers=None):
source
share