ssl server: how to disable client cert verfication?

Barry barry at barrys-emacs.org
Thu Feb 3 16:52:41 EST 2022 


> On 3 Feb 2022, at 21:34, Grant Edwards <grant.b.edwards at gmail.com> wrote:
> 
> On 2022-02-03, Kushal Kumaran <kushal at locationd.net> wrote:
> 
>>> On Thu, Feb 03 2022 at 10:57:56 AM, Grant Edwards <grant.b.edwards at gmail.com> wrote:
>>> I've got a small ssl server app. I want to require a certificate from
>>> the client, so I'm using a context with
>>> 
>>> context.verify_mode = ssl.CERT_REQUIRED
>>> 
>>> But, I want all certificates accepted. How do I disable client
>>> certificate verification?
>>> 
>> 
>> Perhaps you can explain what your goal is.
> 
> It's a troubleshooting utility for displaying a client's certificate.
> 
>> Which kinds of client certificates do you want to permit
> 
> All of them. Anything that's parsable as an X509 certificate no matter
> how "invalid" it is.
> 
>> (to the best of my knowledge, none of these can be actually allowed):
>> 
>> - expired certificates
>> - self-signed certificates
>> - certificates signed by untrusted CA
>> - completely garbage certificates (bad signature, etc.)
>> 
>> I don't see what benefit you expect from requiring client
>> certificates if you don't care what the certificate says.
> 
> I do care what it says. The whole point is to find out what it says.
> 
> I just don't want it validated by the SSL layer: I want to print it
> out. That seems to be trivial to do for server certificates using
> "openssl s_client", but I can't find any way to do it for client
> certficates.
> 
>> Why not simply set verify_mode to SSL_NONE and use other
>> authentication mechanisms?
> 
> I'm not interested in doing any authentication.
> 
> I just want to require that the client provide a certificate and then
> print it out using print(connection.getpeercert())

I am not near the pc with the code on. But in outline you provide a ssl context that
returns  true for the validation of the cert always. You also get to have x509 cert
in your hands. I use pyopenssl to play with x.509 certs.

Let me know if this is not enough info and I will dig out the code I have that
does this custom cert stuff.

Barry

> 
> --
> Grant
> 
> 
> -- 
> https://mail.python.org/mailman/listinfo/python-list
>

More information about the Python-list mailing list