Changeset 156 for etherws/trunk/README.rst

Timestamp:

05/19/12 03:00:33 (12 years ago)

Author:

atzm

Message:

• server cert verification support

File:

• etherws/trunk/README.rst (modified) (1 diff)

etherws/trunk/README.rst

@@ -51 +51 @@
   # ifconfig eth0 mtu 1400
 
-Tunnel Encryption
-=================
-etherws supports SSL/TLS connection (but client does not verify server
-certificates).
+Using SSL/TLS
+=============
+etherws supports SSL/TLS connection.
 If you want to encrypt the tunnel, then you can use following options.
 
-on *Hypervisor1* (options *keyfile* and *certfile* were specified)::
+on *Hypervisor1*::
 
   # etherws server --keyfile ssl.key --certfile ssl.crt
 
-on *Hypervisor2* (option *uri*'s scheme was changed to *wss*)::
+*ssl.key* is a server private key, and *ssl.crt* is a server certificate.
 
-  # etherws client --uri wss://<Hypervisor1's IP address>/
-
-You also can test by following command::
+Now you also can test SSL/TLS connection by following command::
 
   # openssl s_client -connect <Hypervisor1's IP address>:443
+
+on *Hypervisor2*::
+
+  # etherws client --uri wss://<Hypervisor1's IP address>/ --cacerts ssl.crt
+
+Here, URI scheme was just changed to *wss*, and CA certificate to verify
+server certificate was specified.
+
+By the way, client verifies server certificate by default.
+So, for example, client will die with error messages if your server uses
+self-signed certificate and client uses another CA certificate.
+
+If you want to just encrypt the tunnel and do not need to verify
+certificate, then you can use following option::
+
+  # etherws client --uri wss://<Hypervisor1's IP address>/ --insecure
+
+Note: see `<http://docs.python.org/library/ssl.html#certificates>`_
+for more information about certificates.
 
 Client Authentication