ssl server: how to disable client cert verfication?
Grant Edwards
grant.b.edwards at gmail.com
Thu Feb 3 16:32:04 EST 2022
On 2022-02-03, Kushal Kumaran <kushal at locationd.net> wrote:
> On Thu, Feb 03 2022 at 10:57:56 AM, Grant Edwards <grant.b.edwards at gmail.com> wrote:
>> I've got a small ssl server app. I want to require a certificate from
>> the client, so I'm using a context with
>>
>> context.verify_mode = ssl.CERT_REQUIRED
>>
>> But, I want all certificates accepted. How do I disable client
>> certificate verification?
>>
>
> Perhaps you can explain what your goal is.
It's a troubleshooting utility for displaying a client's certificate.
> Which kinds of client certificates do you want to permit
All of them. Anything that's parsable as an X509 certificate no matter
how "invalid" it is.
> (to the best of my knowledge, none of these can be actually allowed):
>
> - expired certificates
> - self-signed certificates
> - certificates signed by untrusted CA
> - completely garbage certificates (bad signature, etc.)
>
> I don't see what benefit you expect from requiring client
> certificates if you don't care what the certificate says.
I do care what it says. The whole point is to find out what it says.
I just don't want it validated by the SSL layer: I want to print it
out. That seems to be trivial to do for server certificates using
"openssl s_client", but I can't find any way to do it for client
certficates.
> Why not simply set verify_mode to SSL_NONE and use other
> authentication mechanisms?
I'm not interested in doing any authentication.
I just want to require that the client provide a certificate and then
print it out using print(connection.getpeercert())
--
Grant
More information about the Python-list
mailing list