Python Server side Push notification for iphone

Question

I've read so many answers and tutorials and post about push notification, I've managed the registration, creating the certificates p12 and pem files as well as apple provisioning just fine so my application knows how to receive push notifications (or at least it looks like it does)

Now I'm trying to set my server side - python/django. I've uploaded the key & cert pem files into my server folder, following this answer here at SO. I'm getting an error when i try to ssl_sock.connect( theHost ) since the pem has a paraphrase, I've read many people saying just to remove the paraphrase but then isn't the whole security public/ private key is out of the window? and if using this approach do i need to remove the paraphrase from the pem file at apple as well? or the one i've downloaded to my mac?

Answer 1

To expand on meda's answer - think about this:

1. If you put a passphrase on certificate, you will need to hard-code the pass phrase somewhere in your django project, since it will need that passphrase to load the certificate.

2. If someone compromises your server, they have your certificate. "No problem!", you think. You've got a pass phrase, so they can't do anything with it!

3. Except they also have access to your source code.

4. So now they have your pass phrase, and your certificate.

5. So all you really did was add hassle for yourself, without any benefit.

Pass phrases on certificates make sense if the certificate is being stored among other shared assets, for whatever reason, or for high encryption concerns where the private key will ONLY be used manually, by an individual or group.

In all other cases, it's a complete waste of effort.

Answer 2

I used PHP to accomplish this but I can tell you about what I know:

• Passphrase is just an additional encryption layer
• SSL encryption alone is really secure.
• If you want to remove passphrase leave it blank when you are prompt to enter one.