ssl server: how to disable client cert verfication?

Kushal Kumaran kushal at locationd.net
Thu Feb 3 21:25:05 EST 2022 

On Thu, Feb 03 2022 at 01:32:04 PM, Grant Edwards <grant.b.edwards at gmail.com> wrote:
> On 2022-02-03, Kushal Kumaran <kushal at locationd.net> wrote:
>
>> On Thu, Feb 03 2022 at 10:57:56 AM, Grant Edwards <grant.b.edwards at gmail.com> wrote:
>>> I've got a small ssl server app. I want to require a certificate from
>>> the client, so I'm using a context with
>>>
>>> context.verify_mode = ssl.CERT_REQUIRED
>>>
>>> But, I want all certificates accepted. How do I disable client
>>> certificate verification?
>>>
>>
>> Perhaps you can explain what your goal is.
>
> It's a troubleshooting utility for displaying a client's certificate.
>
>> Which kinds of client certificates do you want to permit
>
> All of them. Anything that's parsable as an X509 certificate no matter
> how "invalid" it is.
>

Does `openssl x509 -in <filename> -text -noout` do what you want?

>> (to the best of my knowledge, none of these can be actually allowed):
>>
>> - expired certificates
>> - self-signed certificates
>> - certificates signed by untrusted CA
>> - completely garbage certificates (bad signature, etc.)
>>
>> I don't see what benefit you expect from requiring client
>> certificates if you don't care what the certificate says.
>
> I do care what it says. The whole point is to find out what it says.
>
> I just don't want it validated by the SSL layer: I want to print it
> out. That seems to be trivial to do for server certificates using
> "openssl s_client", but I can't find any way to do it for client
> certficates.
>

In your place, I would simply use the openssl x509 command.  If I wanted
more/different info, I would write a script to load the certificate and
printed out the relevant info.  If this functionality must be provided
by a server, I would write it so that a certificate could be POSTed to
the server (without using client certificates), and it would in turn do
the parsing equivalent to what the standalone script would do and
respond with the relevant info.  (But I hear X.509 parsing is an
esoteric mess, and it's unclear to me what demons lie in the area of
parsing untrusted X.509 content).

I don't know how to use the stdlib's ssl module to do this kind of
parsing.  The cryptography package makes this simple though:

https://cryptography.io/en/latest/x509/reference/#loading-certificates

>> Why not simply set verify_mode to SSL_NONE and use other
>> authentication mechanisms?
>
> I'm not interested in doing any authentication.
>
> I just want to require that the client provide a certificate and then
> print it out using print(connection.getpeercert())
>

-- 
regards,
kushal

More information about the Python-list mailing list